World of Warcraft players will want to take care before signing on to Blizzard’s massively multiplayer game, as a new Battle.net forum post from January 2 warns of a “dangerous Trojan” that threatens to steal “both your account information and the [Battle.net Authenticator] password at the time you enter them” (for Windows users only). It doesn’t matter which Authenticator you use; if the Trojan somehow wormed its way into your system, then you are at risk. The issue appears to be restricted to WoW, though we’ve reached out to Blizzard for clarification on that point.
Here’s how you identify if you have the Trojan: The malware in question can be identified by creating an MSInfo file (instructions here), and then checking the Startup Program section of that file for references to “Disker” or “Disker64”. Take note, however: MSInfo won’t detect the Trojan unless it’s already active. If you are concerned that your account has been compromised, then you’ll probably want to try looking for the offending Disker. Otherwise, you might just want to hold off on playing WoW for a bit until there’s a more concrete fix in place.
At the time of the initial posting, there was no known way to remove the Disker malware. That’s changed a bit in the hours since that first discovery. On page two of the forum post, Blizzard support tech “Kodiack” notes that Dr. Web Curelt was able to find and eliminate the malware. Look deeper into the eight page (and counting) thread, and you’ll find that other options seem to be working as well.
Just be sure to only follow instructions from Blizzard support specialists. There’s some bad info in that forum thread, including one poster that suggests deleting certain Win32 files may help (IT WON’T); the community is quickly shutting down such suggestions, but better to be on the safe side and just heed the advice of Blizzard’s in-house support staff.
We’ll update this post accordingly if/when we hear back from Blizzard with clarification on which Battle.net games are affected. Again, for now the Trojan appears to only put Windows-using WoW players at risk.