I realize this might not be new to the WoW community, but there are obvious threats out there that need some attention. Recently the team here at Facetime Security Labs has seen one threat in particular that we feel is especially evil. The story begins like most of these stories begin; with someone downloading something without scanning for a virus first.
There are about 10 million players on World of Warcraft - most of which are in China. The amount of malware coming out of China in the last several years has been staggering. Its no surprise really that World of Warcraft players would become a target.
The first thing this trojan does it watch for the user to login to their WoW account and store the information to be sent to the attacker.
The attacker also creates numerous entries in the Image File Execution Options to prevent the victim from removing the application. This way, the user is forced into removing the application manually, or biting the bullet and reformatting.
The list below is all the programs that are rendered useless by this trojan:
regtool.exe
KPPMain.exe
egui.exe
kpfw32.exe
kwatch.exe
kpfwsvc.exe
kavstart.exe
kaccore.exe
kissvc.exe
kmailmon.exe
esafe.exe
ravtool.exe
ravtask.exe
ravstub.exe
UpLive.exe
UmxPol.exe
UmxFwHlp.exe
UmxCfg.exe
UmxAttachment.exe
UmxAgent.exe
UIHost.exe
TrojDie.kxp
Trojanwall.exe
TrojanDetector.exe
SysSafe.exe
symlcsvc.exe
SREng.EXE
SmartUp.exe
shcfg32.exe
scan32.exe
safelive.exe
Rsaupd.exe
RegClean.exe
QHSET.exe
PFWLiveUpdate.exe
KAV32.exe
mmqczj.exe
mcconsol.exe
MagicSet.exe
KWatchX.exe
KWatch9x.exe
kvupload.exe
KVStub.kxp
KVSrvXP.exe
KVScan.kxp
KvReport.kxp
kvolself.exe
kvol.exe
KVMonXP_1.kxp
KvfwMcl.exe
KvDetect.exe
KVCenter.kxp
KsLoader.exe
KRepair.com
KRegEx.exe
KMFilter.exe
KMailMon.exe
KISLnchr.exe
KAVStart.exe
KAVSetup.exe
KAVPFW.exe
KAVDX.exe
KASTask.exe
KASMain.exe
KaScrScn.SCR
kabaload.exe
isPwdSvc.exe
HijackThis.exe
FTCleanerShell.exe
FileDsty.exe
ccSvcHst.exe
CCenter.exe
AvMonitor.exe
avgrssvc.exe
autoruns.exe
AppSvc32.exe
AgentSvr.exe
IceSword.exe
adam.exe
WoptiClean.exe
nod32krn.exe
mmsk.exe
Ras.exe
vsstat.exe
NPFMntor.exe
webscanx.exe
avconsol.exe
Navapsvc.exe
KPFW32.exe
KAVPF.exe
procexp.exe
safebank.exe
rfwproxy.exeFYFireWall.exe
avp.com
rfwsrv.exe
rfwmain.exe
rfwstub.exe
idag.exe
WinDbg.exe
OllyICE.EXE
OllyDBG.EXE
360safe.exe
qqkav.exe
qqdoctor.exe
safeboxtray.exe
360rpt.exe
360safebox.exe
360tray.exe
qqsc.exe
ati2evxx.exe
Iparmor.exe
PFW.exe
navapsvc.exe
Navapw32.exe
KVwsc.exe
KVsrvXP.exe
KVFW.EXE
rav.exe
ravtimer.exe
RAVmon.exe
RAVmonD.exe
rising.exe
KAVsvcUI.exe
kavsvc.exe
avp.exe
runiep.exe
X-Cleaner.exe isn't on there?! I'm insulted. As you can see this threat hinders the ability for several mainstream anti-virus, anti-malware, rootkit detector, and process explorer.
After the trojan blocks access to your security applications, it sits and listens for any kind of Warcraft traffic that it might potentially steal. The attacker will have the ability to consistently ping the infected PC and take information as needed.
We currently detect this threat as PWS.Game.rnq. Mind your clicks.
News Source: FaceTime