#0 - Jan. 11, 2008, 9:36 p.m.
Q u o t e:
(4:07:58 PM) Shirik: So here's the deal. UI Central is packaged with a program "patcher.exe" which has code in it to go download an "update.exe" from a non-incgamers site
(4:08:05 PM) Shirik: update.exe is then immediately run
(4:08:51 PM) Shirik: update.exe proceeds to install itself as wzcsvbc.dll
(4:10:01 PM) Shirik: It installs that from a remote site if possible, and if that fails it will instead use its own copy
(4:10:26 PM) Shirik: It then registers itself with lsass.exe so that it can be resident at every startup while remaining hidden
(4:10:43 PM) Shirik: After all that's complete, update.exe attempts to delete itself and shut down
Now luckily for everyone (in one sense) it is the same one as showed up previously. Therefore, we already know how to get rid of it. From the previous thread about it, here is what you need to do if you believe you may be infected:
What you need to do
If you downloaded UICentral and think you may have been infected, here is what you need to do:
ScytheBlade1 has written a batch file to remove all 3 versions of the keylogger.
Download: RemoveKeylogger.zip http://www.wowinterface.com/forums/attachment.php?attachmentid=1572&stc=1
(Contains one .bat file and one .reg file)
Download and extract the files to your hard drive (for example, C:\). I wouldn't recommend extracting it to your desktop for simplicity reasons.
Once you've got it downloaded and extracted, reboot into safe mode and then run RemoveKeylogger (the file that looks like a gear). Reboot once more into "normal" mode and the keylogger should be removed. Please follow the steps in the original post to ensure that it is actually gone before you trust your computer.
Once you're clean, go ahead and delete the files (RemoveKeylogger and WZCSVBC).
OR, if you feel more secure doing it manually ....
1) Boot into safe mode
2) Delete the bad files (wzcsvbc.dll, mouse.dll, printfpool.exe)
Start --> run --> cmd.exe
Copy and paste the following lines into the box, one by one:
attrib -H -S %systemroot%\system32\wzcsvbc.dll
attrib -H -S %systemroot%\system32\mouse.dll
attrib -H -S %systemroot%\system32\printfpool.exe
del %systemroot%\system32\wzcsvbc.dll
del %systemroot%\system32\mouse.dll
del %systemroot%\system32\printfpool.exe
sc delete printfpool
exit
3) Fix the registry
Start --> run --> regedit
Navigate to My Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WZCSVC\Parameters
Double-click on "ServiceDLL" and change that value to "%SystemRoot%\System32\wzcsvc.dll" (remove the "b")
4) Reboot
5) Start WoW, and then close it. Do NOT log in.
6) Verify that the bad files don't exist(search your computer for "wzcsvbc.dll" - be sure to search in hidden and system folders)
7) Run a complete anti-virus scan. AntiVir (http://freeav.com) has been known to successfully detect these files.
8) Login to the WoW account management (http://www.worldofwarcraft.com/account/) and change your password.
* NOTE: VERY FEW ANTIVIRUS PROGRAMS CURRENTLY PICK THIS TROJAN UP. BE SAFE, SCAN YOUR SYSTEM, BUT VERIFY BY HAND THAT THE BAD FILES NO LONGER EXIST.
Rushster has been contacted at incgamers and I've no doubt he is taking the appropriate steps.
/edit Update, additional information:
Q u o t e:
If you downloaded this file as of...
Last-Modified: Wed, 09 Jan 2008 19:42:51 GMT
You might want to consider checking your system.
That said, if you touched this at all, you should check it anyways.
Doing some very rough math on this, this means that roughly 290 people downloaded an infected copy (and counting!). Not good.
Q u o t e:
BTW, our awareness of the problem came from this thread on our site ( http://www.wowinterface.com/forums/showthread.php?t=14467&page=2&pp=10 ) which lead to this thread on incgamers' site ( http://wow.incgamers.com/forums/showthread.php?t=408823 ) which led to us downloading a fresh copy of UICentral today and decompiling it.
