Topic di riferimento:
forums.wow-europe.com/thread.html?topicId=40654073&sid=1
Post BLUE:
forums.wow-europe.com/thread.html?topicId=31483341&sid=1
I have just discovered that entering WorldofWar.net may be installing a keylogger on your system. Please be aware that I am not saying that the people running that site are at fault. I am only posting this here as a warning to help people avoid the fate I suffered.
I'm no expert, and I am not making any judgment about that site, or even saying for a fact that the site is a source of an actual keylogger, but here are the facts based on my testing:
1. I had my account hacked today.
2. After I discovered this, I found that there was a process called svchqs.exe running on my system.
3. The file was in my Windows\system32 folder, and was "modified" on 9/17/06. I promptly deleted the file and terminated the process.
4. I searched on the internet for information on this file, and got a hit to the forums of Worldofwar.net, specifically a thread where keyloggers were being discussed.
5. McAfee warned me of suspicious activity from that site, but since I had already been hacked, I decided to see what would happen, and loaded the site anyway.
6. After going past the warning, and allowing the site to load, I recieved a new file in my Windows\system32 folder, called svchcs.exe. This was also instantly added as a running process.
7. Further research indicated that this might be a keylogger as well.
8. I have in the past frequently visited Worldofwar.net for their mapping page, which may be how I got the first keylogger.
9. IMPORTANT: I did all this using IE.
I will be notifiying Worldofwar.net of the problem, in case they are not aware of it. In the meantime, it would be wise to approach that site with caution until the true cause is determined.
EDIT: Someone in this thread has discovered that it may be coming from the banner ads:
"I want to make sure to say that this is probably not the fault of the worldofwar.net guys. 10-1 it is the fault of the adbanner network they are using. please don't blame the makers of the site as they are very probably good guys and would not do something like this on purpose ever."
It also seems that the problem does not occur if you use Firefox.
In sostanza, non serve avviare nessun *.exe o simile per essere infettati. Basta usare IE, surfare un po', et voila... account hacked.
PRECAUZIONI:
1) Non usare Internet Explorer (per chi non lo usa già [niubbi], ecco
Firefox);
2) Avviare WoW usando il LAUNCHER (file Launcher.exe nella directory di WoW. Fa in automatico un controllo sugli Hack e sui Keylogger conosciuti, può aiutare);
3) Smettere comunque di scaricare filmati di WoW (Conflitto ne morirà, ma pazienza) e di navigare sui forum dei siti di mod (Cursegaming e Worldofwar.net, per esempio), finchè dura "l'allarme rosso";
4) Usare Firewall software e anti AD-ware (Il firewall di Windows XP SP2 o
Zonealarm, e
AD-Aware, ad esempio).
E buona fortuna a tutti.