Wednesday, April 29, 2009

Warcraft Custom Map Virus - Important!

Warcraft Custom Map Virus Warcraft Custom Map Virus, a Must Read! There's been a big fuss lately on Battle.net because a new exploit has been circulated amongst hackers. The exploits allows for a custom map to execute arbitrary code on a client and install trojans/viruses/keyloggers outside of the Warcraft III engine. In simple words, by just join an unknown person who host the Warcraft III virus map, your pc will be infected when the game started. And Dota is now become the largest target of this virus. This is not hoax or rumor, Dota-Allstars forums (and Battle.net forums) already stickied this topics. I really recommend that you read this article until finish for your own good.

Hackers created fake Dota maps that use the same file extension/directory as DotA 6.59d. Therefore you will see the loading screen displayed in your custom game list and it is effectively impossible to take precautions against, as it has no discernible difference from joining a normal DotA game. It is highly recommend that you stop playing public dota games until blizzard can patch this exploit. They have already had it brought to their attention.'

For those who doubt how dangerous this is; by mimicing dota, anyone who has already downloaded the legitimate map will see the game displayed in the custom game screen with the proper loading image, and it finishes downloading before you switch to the game lobby screen, as it is a tiny file size. Once you enter the game, the virus will unpack itself and infect your computer, allowing malicious code to be executed at the whim of the hacker. This means a malicious user will be able to grab everyone's cd-keys in a game, plant a keylogger in your computer, any known virus etc.

Props go to Maged@Battle.net forums for bringing this to attention.
http://forums.battle.net/thread.html?topic...58&sid=3000

Don't join games of DotA hosted by people you don't know. This applies to public games, TDA, etc. The best precaution you can take at the moment if you want to continue to play DotA, is to keep your Warcraft III maps folder open, and see if any new files are downloaded when you join a game. If they are, immediately leave the game lobby, before the host can start the game (and infect you), and delete the new map file. If your computer has been infected, you should run the best antivirus software you can find, and Don't log into any accounts on your computer, Warcraft III, email, etc, as there is a high probability of getting your password keylogged. If you are certain your computer is infected, the only surefire way to eliminate it is to reformat your computer.

COMODO is the only known program at the moment to prevent Warcraft from running the malicious code as of now. Every other AV/firewall/anti-malware program other than that does not currently prevent this exploit from being used.
This is what ChildLikEmperor, Dota-Allstars forums moderator, said on his thread. But if you have another AntiVirus that can detect it, feel free to share it here.

Blizzard has been notified about the issue. The safest thing to do at the moment is to not play DotA or any other custom map until Blizzard release new patch. OR, you can carefully choose your host when joining a game even though certain risk is still there. Honestly, i prefer the second choice, because it will be hard to stop playing Dota ~_~

Update:
Thanks for anonymous who give this information.
Name of virus: HackTool.Win32.Sniffer.WpePro.w
Contaminated sites are here:
C:\WINDOWS\TEMP\omfg_wtf.dll

Looks like the virus file is on : \WINDOWS\TEMP\omfg_wtf.dll

Note: Warcraft Patch 1.23 is also vulnerable for this virus!

No comments:

Post a Comment