Blue Tracker
World of Warcraft Blue Posts
Diablo II: Resurrected Blue Posts
Diablo III Blue Posts
Hearthstone Blue Posts
Overwatch Blue Posts
Heroes of the Storm Blue Posts
Diablo IV Blue Posts
BlizzCon Blue Posts
Warcraft Rumble Blue Posts

Virus Infected Fraps = Hacked WoW Accounts

Forum Avatar
Osullavan
#0 - April 30, 2008, 9:04 p.m.
Blizzard Post
Hello C.S. forums and Blizzard people.

I wanted to give you guy a heads up regarding a discovery that a recent version of Fraps was infected with the SpyLock software, which lead to the Trojan called Trojan.Crypt.FKM.Gen being installed in a Microsoft applicaiton, which in turn was used to key log several accounts, some of which belong to a few friends of mine. This resulted in the standard bad and evil things hackers do to accounts. I believe you are helping them restore their gear and gold now, and I'm sure you all will give them the help they need, etc...

However, I know that you occasionally investigate such things. As such, I wanted to be sure to give you guys the heads up:

The article I wrote for WoW Insider is here: http://www.wowinsider.com/2008/04/30/virsus-infected-fraps-steals-account-information/

A complete virus scan follows. Perhaps this can be of use.

Best of luck in fighting the hackers,

Adam.


Avira AntiVir Personal

Report file date: Wednesday, April 30, 2008 12:22



Scanning for 1244024 virus strains and unwanted programs.



Licensed to: Avira AntiVir PersonalEdition Classic

Serial number: 0000149996-ADJIE-0001

Platform: Windows XP

Windows version: (Service Pack 2) [5.1.2600]

Boot mode: Normally booted

Username: SYSTEM

Computer name: TARDIS



Version information:

BUILD.DAT : 8.1.00.295 16479 Bytes 4/9/2008 16:24:00

[SNIP]



Starting master boot sector scan:

Master boot sector HD0

[INFO] No virus was found!



Start scanning boot sectors:

Boot sector 'C:\'

[INFO] No virus was found!



Starting to scan the registry.

The registry was scanned ( '34' files ).





Starting the file scan:



Begin scan in 'C:\'

C:\pagefile.sys

[WARNING] The file could not be opened!

C:\Fraps\fraps.exe

[DETECTION] Contains detection pattern of the Phish-File/Email PHISH/FraudTool.SpyLocked.J

[NOTE] The file was deleted!

C:\Program Files\NetMeeting\mstinit.exe

[DETECTION] Is the Trojan horse TR/Crypt.FKM.Gen

[WARNING] The file could not be deleted!

C:\System Volume Information\_restore{BDE22EC4-7ABA-4C59-83FE-DBF075850A07}\RP423\A0031148.exe

[DETECTION] Contains detection pattern of the Phish-File/Email PHISH/FraudTool.SpyLocked.J

[NOTE] The file was deleted!





End of the scan: Wednesday, April 30, 2008 13:16

Used time: 53:35 min



The scan has been done completely.

Forum Avatar
Malkorix
#1 - April 30, 2008, 9:17 p.m.
Blizzard Post
Q u o t e:
Hello C.S. forums and Blizzard people.

I wanted to give you guy a heads up regarding a discovery that a recent version of Fraps was infected with the SpyLock software, which lead to the Trojan called Trojan.Crypt.FKM.Gen being installed in a Microsoft applicaiton, which in turn was used to key log several accounts, some of which belong to a few friends of mine. This resulted in the standard bad and evil things hackers do to accounts. I believe you are helping them restore their gear and gold now, and I'm sure you all will give them the help they need, etc...

However, I know that you occasionally investigate such things. As such, I wanted to be sure to give you guys the heads up:

The article I wrote for WoW Insider is here: http://www.wowinsider.com/2008/04/30/virsus-infected-fraps-steals-account-information/

A complete virus scan follows. Perhaps this can be of use.


Yow! Thanks for the heads up, Osullavan!

While the information is valuable, it would be awesome if you could supply it in the UI & Macros forum, and shoot a quick mail to hacks@blizzard.com containing the data you've procured, I'm sure it would be appreciated.

Thanks again for bringing this to the community's attention =).