顯示廣告
隱藏 ✕
※ 本文為 versitility.bbs. 轉寄自 ptt.cc 更新時間: 2014-01-06 04:33:10
看板 WOW
作者 deathson (小米)
標題 [情報] BZ官方警告有新的木馬程式
時間 Fri Jan  3 12:08:42 2014


原始連結: http://us.battle.net/wow/en/forum/topic/11041384892

這次比較棘手的是這連用了驗證器的帳號也會中招
這個木馬似乎會及時攔截帳號資訊及驗證碼並且回傳

推文裡面有提到如何找到木馬.

BZ官方現在還不知道哪些防毒程式有能力處理這東西.

如果有中的話, 請將下列資訊傳給BZ
MSInfo
所使用的Addon(UI)
最近所安裝的程式以及其取得來源
任何防護程式跑出來的結果

-=-=

Hello,

We've been receiving reports regarding a dangerous Trojan that is being used
to compromise player's accounts even if they are using an authenticator for
protection. The Trojan acts in real time to do this by stealing both your
account information and the authenticator password at the time you enter them.

If your account has been compromised recently, I'd recommend looking for the
Trojan. It can be identified by creating an MSInfo file and then looking in
the Startup Program section of that file for either "Disker" or "Disker64".
It will usually appear like this:

Disker rundll32.exe c:\users\name\appdata\local\temp\w_win.dll,dw
Name-PC\Name Startup
Disker64 rundll32.exe c:\users\name\appdata\local\temp\w_64.dll,dw
Name-PC\Name Startup

We are currently looking for more information on the Trojan. We have not been
able to locate any anti-virus programs that will remove it besides just
reformatting your system. If you have been recently compromised and find it
on your system please reply with the following pieces of information.

Your MSInfo.
A list of any addons you recently installed along with where you got them.
A list of any programs you recently installed along with where you got them.
Any security programs you have run and their results.

-=-=

追加資訊

While this is not conclusive, every occurence I've examined has been a new or
recently reformatted system that was hit shortly after downloading addons.
There have been no other hardware or software commonalities that can be seen
in an MSInfo. Due to these observations, something related to addons or the
aquiring of addons leads our suspect list. Again though, not conclusive.

Also, I just received a report that an updated Malwarebytes might have
removed the infection, but this is unconfirmed. We're trying to get removal
logs from the player to examine.

--
再追加資訊

哪些防毒可以掃到
http://us.battle.net/wow/en/forum/topic/11041384892?page=6

You can see all the antiviruses which detect it already here:

https://www.virustotal.com/en/file/85...dd79c0344/analysis/1388723212/
Antivirus scan for 429937eab224a811d06463d46d62a56b at 2014-01-03 04:26:52 UTC - VirusTotal VirusTotal's antivirus scan report for the file with MD5 429937eab224a811d06463d46d62a56b at
2014-01-03 04:26:52 UTC.
15 out of 48 antivirus
detected the file as malicious.
Some of the detections were: Trojan.PWS.Wow.NHV, RDN/PWS-OnlineGame.ck!c, WS.Reputation.1, TROJ_GEN.R0CBH06LS13, Trojan.PWS.Wow ...
 

This includes Ad-aware, BitDefender, F-Secure, Ikarus, Mcafee, Panda,
Symantec/Norton, TrendMicro-HouseCall & VIPRE.

These don't pick it up yet, but I've submitted the trojan to them:
AVG, Avast, ClamAV, Comodo, DrWeb, ESET/NOD32, F-Pro, Kaspersky,
Malwarebytes, MSE, Norman, SuperAntiSpyware, Sophos, TrendMicro, nProtect.
--
這次的資訊比較嚴肅所以不塞簽名檔了...
--
--
※ 發信站: 批踢踢實業坊(ptt.cc)
◆ From: 71.131.178.96
deathson:轉錄至看板 C_Chat                                      01/03 12:11
※ 編輯: deathson        來自: 71.131.178.96        (01/03 12:34)
Fron:萌米1F 01/03 12:37
raistlin1424:我以經被盜到afk了....2F 01/03 12:46
smsd:他不是叫你去找這兩個檔案3F 01/03 13:09
smsd:應該是說你要先創造一個MSInfo文字檔
smsd:建立方式是去開始功能表那邊搜尋一個MSinfo32的程式
smsd:打開以後去檔案->匯出然後存在隨便一個地方
smsd:這樣會創造一個文字檔, 把它打開以後
smsd:在裡面有個[啟動程式]那個欄位裡面找看看有沒有上面那兩排
smsd:有的話就是中了木馬
已修正 多謝
※ 編輯: deathson        來自: 71.131.178.96        (01/03 13:20)
zooxalju:Avira完全被無視了????10F 01/03 13:37
maple0935:那兩排是disker那兩排嗎?11F 01/03 13:38
eDrifter:推一個; 還好沒中12F 01/03 13:47
lcilear:開始那邊搜尋不到MSinfo32怎麼辦?  求解!!13F 01/03 14:07
asalfex:開始->執行14F 01/03 14:10
aabbabcd:其實不用另外匯出檔案來看.直接執行MSINFO32這個程式15F 01/03 14:37
aabbabcd:然後再裡面搜尋列出來的那兩個執行檔就OK了
quadra:mac玩家無感17F 01/03 15:23
KELTHUZAD:請問MAC玩家怎麼用RC?18F 01/03 15:55
dogee:開個模擬的WINDOWS  有XP跟WIN7的樣子...19F 01/03 16:28
berryc:以後輸入驗證碼要等他快跑完最後1秒KEY進去才是最安全= =20F 01/03 22:34
omolando:就算消失 驗算上似乎有些延遲 即使換了下一組 上一組幾21F 01/03 23:00
wildbloodcat:我的是 comodo 阿阿阿阿22F 01/03 23:01
omolando:秒內輸入正確的話 也可以通過認證 (自身實驗過)23F 01/03 23:01
Galm:只有這時候會覺得有通訊鎖真好24F 01/03 23:28

--
※ 看板: virsey 文章推薦值: 0 目前人氣: 0 累積人氣: 461 
作者 deathson 的最新發文:
點此顯示更多發文記錄
分享網址: 複製 已複製
guest
x)推文 r)回覆 e)編輯 d)刪除 M)收藏 ^x)轉錄 同主題: =)首篇 [)上篇 ])下篇