Just in time for the first weekend of the year, many people’s last gaming weekend of holiday time, it appeared that Blizzard users fell victim to a nasty Trojan that could compromise accounts, even if they were using the Battle.net authenticator. Never fear, there is a cure – but just check if you are infected.
Over on the Battle.net forum, the following post reported the initial problem:
We’ve been receiving reports regarding a dangerous Trojan that is being used to compromise player’s accounts even if they are using an authenticator for protection. The Trojan acts in real time to do this by stealing both your account information and the authenticator password at the time you enter them.
Scary stuff. So much for a two-step authentication method being secure. Want to check if you’ve been infected? Here are the instructions:
It can be identified by creating an MSInfo file and then looking in the Startup Program section of that file for either “Disker” or “Disker64”.
Working through the weekend, the admins found the source of the infection, and the cure. The Trojan comes from a fake yet functional version of the Curse Website through which people can get the Curse Client. The malware site was popping up on searches for “curse client”, which is how it lured in so many users. If you have been infected, your best bet is to delete the fake Curse Client and run your security program. Blizzard admins insist that the authenticator protects your account 99% of the time.
I’m still skeptical of all these security measures. My Steam Guard seems to constantly think I’m changing locations, while the Blizzard authenticators can feel like a serious waste of time. Yes, security is really important. I’m just not convinced that authenticators, two-part login systems and other mechanisms are really keeping us any safer.
Last Updated: January 6, 2014