Hello,

There was a new trojan keylogger uploaded this morning on wow addon files by the name of "titan panel 3.0.6 new", i thought it was a new update of the well known titan panel addon, after installing the exe file, i found out that it was a trojan, i'm posting this message to help anyone that already downloaded the file and got the same virus because i found how to completely remove it, by following these steps :

1- check the task manager of windows and see if you find a file named "scvhost.exe" (not svchost.exe), the tricky letters "vc" are swapped, end the process if you happen to find it.
2- go to your drive c: and look for a hidden directory named "config", you will find three files inside : dskbhook.dll + dxdiag.dll + scvhost.exe, remove these, and now you are clean.

i hope this message gets to the webmaster or administrator so that he can put a warning on the news articles, to prevent the ones that already downloaded the file and the danger of getting their world of warcraft account hacked.

Thank you.

Stickied. These were posted several times throughout the day. We've been trying to remove them as fast as possible but some were up for at least 30+ minutes.

It's getting so bad...

Perhaps addons that are .EXE should be quarantined for a short period? Requires vetting from a 2nd curse-user? Someone with X curse points or less can't post EXEs ?

Has to be a better way...

> kadolar wrote:
> It's getting so bad...
>
> Perhaps addons that are .EXE should be quarantined for a short period? Requires vetting from a 2nd curse-user? Someone with X curse points or less can't post EXEs ?
>
> Has to be a better way...
I will actually consider something like this. We need a better way to control spammers since we can't obviously moderate the site 24/7 as sooner or later something will slip through while people are sleeping.

With our next site push we are putting live levels with which we want to increase uses access on the site on a level basis. I will talk it over w/ the guys and see if we can't come up with a solution.

It's not so much spammers - idiots that want to sell pills and crap are only in the annoying bin.

The keyloggers and virus idiots though: they're worth some effort to shoot down, as the damage they cause is so much more harmful... both to their acount as well as Curse's reputation.

I got a question..

like 3/4 months ago i had 60 priest full epic on hakkar.

I got hacked pretty bad and lost all my items.. I downloaded al my addons from this site.
I dont wanne start over knowing that it cna happen again because it rly sucks :P...

Is it safe already tot play wow with addons again from curse?
Or is there any scan tool or something else to detect if i hav ethis keylogger...

mayb still on my pc? im gonne reroll new wow char on Saturday xD

You will want to find an antivirus tool ramon, but most likely it wasnt from an addon on this site. For the past few months other sites have had problems with their advertising, and various exploits on their websites, allowing people to get keyloggers from simply visiting the website.

The only problems we have had have been mostly recently with people posting up .exe only versions of files that are simply a copy paste of another file on the site. These are usually removed within the hour they are posted. I would just recommend not using anything that is a .exe for addons, as they shouldn't be in .exe format.

Was this people just using IE or was firefox also affected?

It was an exe in an addon file, nothing about IE or FF :)

No in regards to the advertising Zinor was talking about.

o you are talking about other sites, i think it was reach both IE and FF.

I have come to this website for addons since I started playing WoW and I must say recently these "keyloggers" have been getting bad (not just on course, but pretty much anything to do with WoW). As stated earlier, I believe that maybe not hosting files with .exe's in them would be a decent start to solving these problems. I mean think about it, theres nothing an exe can do that you cant do manually besides convenience.

Also as a side note, im not sure if this would help but keyloggers record your key strokes. SO, if you were to use the account name remember thing on the WoW startup screen if you had a keylogger would it only get your PW? or can it leach the account name out of WoW somehow?

Well I for one use the .exe format to supply an addon pack in .msi format compress with LZMA

and if you banned .exe file it would take the key loggers 2 sec to zip the file and upload it anyway.

> LimDul wrote:
> Well I for one use the .exe format to supply an addon pack in .msi format compress with LZMA
>
> and if you banned .exe file it would take the key loggers 2 sec to zip the file and upload it anyway.

Yes, But then you would be able to SEE the file before unzipping it along with the fact that it would set of countless virus programs.

Your virus program should also scan every file you download

I think just plainly disallowing anything executable would be the easiest and best way. Or at least add a warning in BIG, bold letters to all downloads containing executable code. Probably hard to make tho.

> LimDul wrote:
> Well I for one use the .exe format to supply an addon pack in .msi format compress with LZMA
>
> and if you banned .exe file it would take the key loggers 2 sec to zip the file and upload it anyway.

Uhm, why? A zip file is much better, since those msi files are extremely limited in their supported platforms. Any mac user will not be able to extract your addon, even tho it would work perfectly fine, since addons run inside WoW.

Yes I know it wouldn't support Mac (hence a separate mac version in .zip) but with the .msi I can do this:

http://limdul.dk/2.jpg

Wuzit: As far as I know, most were IE, but there may have been one or two that targeted FF on the sites that had them.

Man, this kind of stuff is just rediculous...

I think the real problem is with "ebay"... if they wouldn't let people sell gold and their characters, it wouldn't be so profitable to hack peoples accounts.

I trust CG, and im sure the admins here will come up with something to keep this from happening, at least as much as possible.