I'm surprised this has not yet been brought up, but there is a particularly nasty key logger in the wild at the moment.

I don't know many of the details currently but was posting in case some others had some advice or stories regarding this.

As of last night, nearly every major guild on my server had at least 2-3 people who had been hacked (although ours seems to have escaped the "bad luck").

It appears as if Firefox users are not immune either.

Blizzard's Line:
http://forums.worldofwarcraft.com/th...14715049&sid=1

I found this free virus scanner that appears to check for the appropriate logger in question:
http://housecall.trendmicro.com/

Anyway If you have any additional information on this, please post. Hope this is useful to someone.

http://www.fohguild.org/forums/mmorp...ms-ladies.html

Edit: If I link to FoH on this board, but to achieve good, does Kaubel's head implode?

Our former guild leader and one of our best equipped tanks lost all his gear and our guild bank over the weekend. We suspect this keylogging was the reason.

I do really feel sorry for people this happens too, especially if they are on a shared computer where anyone could have DL'd it by accident, but come on now, most of the Key Logger posts on the WoW Forums are so obvious, I can't believe that people fall for it. They remind me of those "I have millions of dollars back in Nigeria" email scams that people fall for all the time.

Of course, this post is kind of like jinxing a no hitter, so I fully expect to be keylogged within the next 10 minutes. ;)

I have a mac.

http://www.noscript.net/whats

Why people run arround assuming that every website they've never previously been to isn't out to get them, I can't imagine.


Edit: Also, Hellsoap wins.

Don't underestimate it.
The key logger has been rolled into a number of mods supposedly. Has affected many Firefox users, and seems to be getting quite a few "intelligent" people.

Most guilds do a lot of "boxing"... so the problem is intensified, even if you're not the one infected, one mistake could be brutal for your guild.

I should add the "Firefox are vulnerable" is anecdotal from comments by people affected by this... so maybe it is safe... and no please don't turn this into an IE vs firefox thread, lets keep this useful!

How the *hell* do you roll a keylogger into a mod that is sandboxed both for data in and data out, and written in plaintext there for anyone to see?

I'm not saying this keylogger phenomenon isn't a problem, but a mod-based keylogger would require that the person who wrote it have a character on your server, and that you either whisper or mail or hiddenchannel them the appropriate info (which either requires them to be logged into the logging character or you to hit the mailbox and not notice the mail being sent)

Let's not get carried away here.

(BTW, Hellsoap, I miss your old avatar. I found it endlessly fascinating.)

Amen brother, amen.

Kalman: I was under the impression it came with the addon as an executable or something that someone who have to foolishly click (edit: meaning as a seperate file in the zip, I wasn't implying for a second a mod would make you vulnerable). Again, I said "supposedly" and this is just relaying information. I think being careful is the key point, as its seems to be affecting a lot of folks.

My Firefox blocks ActiveX stuff by default. I have never heard of someone getting a mod with keyloggers from Curse.

If this has affected a lot of people, I wonder how cheap Nexus crystals are now;)?

Meaning it's hidden in those mods that come as .exe files like Cosmos (at least used to), or using some LUA scripting related exploit? First one is rather easy to avoid, latter one is of course always possibility but quite unlikely in this case.

Ah, okay. There's a reason I don't run mods which use executables.

Well our sulfuron hammer was on the AH for 500g, 5 nexus crystals for 30g (6 auctions of these) and something like 100 arcanite bars for 200g. :(

This probably has something to do with their new forums. I'd just refrain from posting on them.

I don't see how it could or would. It's just an ActiveX exploit and people are posting malicious links disguised as WoW-related things.

Really, the safest practice, on top of obvious browser security, is never to click a link from the WoW forums, or at least never to click a link to any site you don't recognize and trust (thottbot, curse-gaming, etc.).

Happened to one of my guild mates last week who for some odd reason wasn't using a firewall. He claims the only thing he downloaded during that week is the AQWarner from wowinterface.com. As far as I can tell doesn't having an active firewall stop this from happening unless you specifically click "Yes" when the firewall asks if it's ok to send this info out??

Anyways, just yesterday he finally had most of his stuff restored minus enchants except a couple of bank alts. Hope it turns out just as well for anybody else this happens to.

It was going on well before that, but the new forums may (or obviously may not) make it easier to do...although generally it's someone clicking a page they don't know that causes it.

For example, Ming (Rogue who used to play on Lightning's Blade, and used to be quite a Theorycrafter on the Forums) posted a video of the "Best rogue in China" with a link to the video which was a very popular thread. It was legit, but within a few days there were duplicates of the thread but with the WarcraftMovies link replaced with a Keylogger link. People see it, and click it assuming it's the correct one. The new forums have nothing to do with that, that's just people being careless.

This is basically it.

Most people are infected after clicking on a OMG EJ Kills Hogger video. And the video links to the logger. Watch what you click on will basically cover you 99.9% of the time it appears. Reading forums should be safe for the most part.

My account got keylogged / hacked / whatever, in the span of a few hours. I logged off from BWL a couple weeks ago on a Wednesday night, and when I got home from work Thursday I logged on and saw this for a character select screen...



Once I logged onto one of the level 1s and reported the incident, they locked my account and had me fax them some information proving I was who I said I was, then it took them another several days to restore my main character and *MOST* of my items. Some of my non-essential bank items were not restored, like the 300x Darkmoon Special Reserve and 100x Gordok Green Grog, and none of my alts have been restored yet which had several hundred Thorium Bars, a bunch of Arcanite Bars I'd been saving for my Lionheart Helm / Titanic Leggings, and 5 other toons worth of Engineering, Enchanting, Leatherworking, Tailoring, and Alchemy mats. Oh, and each of my alts also was >lvl 30, with some pretty nice sets of blues, and had full banks, bank bags, 16 slot bags for carrying, and >40-50g each.

Look in your Task Manager for a file / process called "svchqst.exe" "svch0st.exe" or just "svchq.exe". Some of these keyloggers are also apparently being attached to video links people put up on the Blizzard forums, so beware if you're someone like me who goes and watches _____'s new pvp / raid / whatever video.

Ok, so I found one of those keylogger links, extracted the executable and scanned it with both free antivirus software I have on my home PC and commercial one I have on my work laptop - with all safety precautions of course, please don't try this at home ;). Both recognized it as malware either through heuristics or with specific malware signature. Seems like culprits are using usual off-the-shelf trojans and with up-to-date antivirus software you should be reasonably safe. Even if it were sophisticated custom written software, I would say by now most antivirus companies would have it on their signature databases considering how popular WoW is.