Trojan Hacks Blizzard Authenticor Protected Accounts

There is a new trojan virus out there that can hack into World of Warcraft accounts protected by an authenticator.  We all knew something like this was bound to show up at some point in time.

MMO-Champion has reported on this, stating the following [Source]:

Basically, what the virus does is fairly simple after you’re infected :

  • The next time you log in World of Warcraft, the game asks for your Authenticator code.
  • The virus intercepts it, send it to another server, and sends a wrong one to Blizzard = You get an error.
  • The people behind the virus now have a few seconds/minutes to use the “real” code while it’s valid to change your password / empty your account / guild bank.

How to check if you’re infected
Just search for a file named “emcor.dll” on your computer, it is most likely located in “C:\Users\(Your user name)\AppData\Temp” but I suggest that you check everything just to be sure. If you do find the file, delete it and make sure you update your anti-virus to prevent any further problem.

To be honest, if you found this file your account is probably already compromised.

What does it mean exactly?

  • Yes, you can get hacked even if you have an authenticator, the chances are MUCH lower but you’re not invulnerable.
  • It definitely isn’t an excuse to not have an authenticator. We’re talking about a single virus here and the authenticator will save your ass 99% of the time.
  • Get a decent anti-virus, buy an authenticator, you’ll be safe.

Blizzard has also addressed this and confirmed with the following post in their forums [Source]:

“After looking into this, it has been escalated, but it is a Man in the Middle attack.

This is still perpetrated by key loggers, and no method is always 100% secure.”

So everybody out there remember to keep your anti-virus programs up to date, and even though this does target authenticated WoW accounts, having an authenticator is still the best way to protect against keylogging.

Speak Your Mind