Blizzard has issued a warning that its Battle.net two-step authenticator protection is useless against a malware program that can hijack player accounts even if they're using an authenticator. The Trojan gets passed the two-step protection by stealing both the account information and the authenticator password at the time the player enters them, a Blizzard representative said. Ordinarily, players would obtain a one-time-use authenticator password from a keychain dongle that spits out a new six-digit code on an LCD display when users push a button. Blizzard also offers a mobile authenticator app that serves the same purpose. Blizzard said users can see if their PCs are infected with the malware by creating an MSInfo file and then looking in the Startup Program section of that file for either "Disker" or "Disker64." As yet, Blizzard has been unable to confirm an anti-virus solution that will remove the program short of reformatting the system. While the company isn't certain how the malware found its way onto users' PCs yet, one common thread is that users reporting problems had recently downloaded addons for World of Warcraft.
<a data-ipb='nomediaparse' href='http://us.battle.net/wow/en/forum/topic/11041384892?page=10#189'>http://us.battle.net/wow/en/forum/topic/11041384892?page=10#189</a> that's a fix for it..
<blockquote class="ipsBlockquote">-The trojan is built into a fake (but working) version of the Curse Client that is downloaded from a fake version of the Curse Website. This site was popping up in searches for "curse client" on major search engines, which is how people were lured into going there.<br><br> -At this point, it seems the easiest method to remove the trojan is to delete the fake Curse Client and run scans from an updated Malwarebytes. Should you still have issues, there is a more manual method that Ressie posted earlier in the thread.<br><br> -Thanks to Ressie's efforts, most security programs should be able to identify this threat shortly, if not by the time I type this.<br><br> -If you were compromised, follow the instructions here and we'll do our best to set everything right (as we always do).<br><br> -For those of you interested in these MitM style attacks, this is the only confirmed case we've seen in several years outside of the "Configuring/HIMYM" trojan in early 2012 that hit a handful of accounts. These sort of outbreaks are annoying, but an Authenticator still protects your account 99% of the time. Stay safe!<br></blockquote>
