#0 - Sept. 7, 2006, 5:02 p.m.
First let me tell you my little story. I played all day on this account im logged on. Then I decided to go play on my main to sell some stuff at the AH before I go raiding with my guild.... At my surprise, my password was not working anymore. I tried 4-5 times, nadda... So I went to recover my password on wow's website, and then when I logged in, I found my level 60 Druid totally naked, left with almost nothing. Thank god my bank was full though...
So I immediatly opened a ticket, and while I was waiting, I told everyone in my guild what had just happened to me.. They asked me if I ever shared my account or if anybody else than me knew my account informations... The answer is NO, nobody knew my account informations and it was absolutely impossible to guess since it is mixed of numbers and letters with personal stuff... They told me I probably catched a virus, but I was sure I didn't so I said no...... Well boy was I wrong.....
While I was speaking with a GM, I ran a virus scan with Kaspersky anti-virus. At my surprise, I was infected with 5 viruses. I did a research for every viruses kaspersky had found on my computer, and here is what I found:
The viruses is named: PWS.Win32.WoW.hm (the last 2 letters of the name are randomly generated)
On my computer, it created 2 system file named: svch0st.exe (NOT the usual windows svchost. Notice the "0" (zero) in the name) and also g0ld.com which were both hidden in the running processes. Both of these files created entires in my registery and were launched each time my computer boots.
So I went on google and did some research....
Definition of the virus
PWS.Win32.WoW.x: The PWS.Win32.WOW.x Trojan horse program seeks user names and passwords for the online game "World of Warcraft." This infos was taken on the pestpatrol website
I finally know how my account was hacked.... But more interresting, I found someone on worldofwar.net forums that had the same virus as me, and look at what he found on his side!!!!
He posted the following message on worldofwar.net forums:
Got the svch0st.exe keylogger myself.
44 hunter here too
'phone home' address of keylogger;
[Edited]
China, as @#$%@#$%ing usual.
possible windows registry locations (found from disassembly of svch0st.exe);
CODE:00403434 0000001C C SOFTWARE\\Borland\\Delphi\\RTL
CODE:004053B8 00000019 C Software\\Borland\\Locales
CODE:004053D4 00000020 C Software\\Borland\\Delphi\\Locales
CODE:00413EA0 0000002E C SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
CODE:004141BC 00000032 C SOFTWARE\\Blizzard Entertainment\\World of Warcraft
has a few strange string entries in the exe itself;
DATA:00415049 00000016 C -¦+++-+-+¦+++-_¦¦¯aßp
DATA:0041505F 00000005 C Ssì@
DATA:00415064 00000006 C Error
DATA:0041506C 0000001E C Runtime error at 00000000
DATA:0041508D 0000000F C 123456789ABCDEF
CODE:004135C0 00000029 C [Edited]
CODE:004141A8 0000000B C binghe_WOW
Have NOT been able to determine where I picked it up.
First symptom I noticed was some graphical "warping" in-game.
(Thought my graphics card was having issues, at first).
Acted like video in-game was lagging for a split second, about once every 0.75 seconds.
main executable lives at \windows\system32\svch0st.exe
makes registry entries;
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run
(as mentioned above)
I would like to find out where it's data-logging file is.
previous versions of svch0st.exe trojan made a file called info.txt.
This version doesn't use that same name."
Interresting!!! Now I know where my sudden graphical lag was coming from!!!
More interresting again, I read that this virus was found on some screenshots of the burning crusade on other sites than worldofwarcraft.com
So please fellas, be careful and do a system scan right now.
Also, could a blue forward this to the account investigator looking at my other account, that doesn't know about what I found? I now know what stole my password, after the scan results, and I think this would speed up the process. I won't name the account name, but the character affected is Riverbane on the Arthas/horde realm.
Thank you!
