Well for starters, these guys just never stop.
I have been tracking them for almost two months now.
I'm doing my best to make their criminal life harder though.

There are three malware authors/groups that I have been following.
Well, I assume these groups are separate. I distinguish them by their
methods and websites.

The first one is:

Originally, their malware and exploit code was only at the above address,
and they counted on people mistyping worldofwarcraft.com or clicking
a link but not noticing the difference.

Now their exploit and malware code is linked from the above website to here:

Code:

http://www.mabios.com/flash.js http://www.mabios.com/1.exe      =  70.85.244.82 http://www.gameones.net            =  70.85.244.82 http://www.gameones.net/1.exe http://www.gameones.net/mos.exe

Since I have been tracking them, I have seen three different versions of
their malware, the most recent of which is here:

/t192936-MD5_051576122df8cf77c335a02158f74a82_1_exe.html
/t192946-MD5_339cde39f79140894b8858e05b9a28cf_servett_exe.html

Whenever I see a new version, I get that sent out via our listserv.

Emails and Takedown notices to the Chinese domain host have had no
success, however the actual servers are located in the US.
I will be trying to get them taken down again.

_________________
Analyzing, reporting and removing Malware. Fight the Scourge!

Last edited by tacktick on Fri Jun 22, 2007 6:34 am, edited 1 time in total

The second one is:

Their malware and exploits are hosted:

Code:

http://world0fwarcraft.net/world.htm http://world0fwarcraft.net/1.htm http://world0fwarcraft.net/ani.css http://world0fwarcraft.net/yahoo.asp http://world0fwarcraft.net/123.js http://world0fwarcraft.net/admin.asp http://world0fwarcraft.net/test.exe

Recently these urls have popped up on wow forum spam.
All of them redirect to the main website above.

Code:

http://qwe1.cn/sex.htm   (Dead) http://sex.doganddoctor.com/world.htm        = 222.187.105.196 http://bc0.cn/sex.jpg                                   = 222.187.105.196 http://bc0.cn/world.htm

In the time I have been watching them I have seen 4 versions of their malware. Their website code and exploits havent changed though.

Most recent malware:
/t192937-MD5_dba938da217e84374b4328240ddf9af5_test_exe.html

Both the domain and network hosts are in china for these sites.
I have sent emails but got no action or reply whatsoever.
Whois info:
http://centralops.net/co/DomainDossier.aspx?addr=world0fwarcraft.net&dom_whois=true&dom_dns=true&net_whois=true&x=21&y=11

Maybe they are a criminals haven or they are paid off. Any ideas on pursuing this further are appreciated.

_________________
Analyzing, reporting and removing Malware. Fight the Scourge!

The third are a bit different.. they use social engineering instead of exploits.
They also spam their malware in many places.
The other way they distinguish themselves is that they package and piggyback their trojan onto some legitimate software and then spam it as a download link for that software.

For example: /t192716-Keyloggers_WoW_Model_Viewer.html

Originally they started out using:

For example:

Code:

http://gameomp.net/downloads/MovieSnapshot_v0.4.zip  (DEAD) http://gameomp.net/downloads/iview400_setup.zip     (DEAD) http://gameomp.net/WoWUIDesignerv1.0.300.10.zip   (working)

Now they are using other sites as well:

Code:

http://e73.org/                                               =    70.86.222.73 http://e73.org/Downloads/movieview.zip http://gameup.us/                                           =   70.86.222.73 http://gameup.us/Downloads/movieview.zip http://gameup.us/WoWUIDesignerv1.0.300.10.zip

They have piggybacked their malware onto a bunch of different programs, like Virtualdub. Mostly they use free and shareware software.

Lately though, they are not bothering to do that, and just using social
engineering to trick people into downloading a zip file.
Inside is an executable that looks like a setup file for a program,
but it is just malware. This may be due to the fact that the techniques
used to add malware code to a real program are easily detectible by
antivirus software.

Recent malware from them:
/postitle192938-0-0-.html
/postitle192941-0-0-.html
/postitle192942-0-0-.html


I havent tried to take these servers down yet, due to lack of time.
The servers are located at ThePlanet webhosting in Texas, so it
should be definitely possible.

_________________
Analyzing, reporting and removing Malware. Fight the Scourge!

Hi, I'll be honest curiosty got the better of me here, and I clicked on the link via WoW forums,

bc0.cn/sex.jpg (DO NOT GO HERE PLS) linked for your information

I have installed only AVG (latest def) and spybot SnD 1.4 (latest def) windows vista home premium

AVG poped up telling me I had.

A) Trojan Horse Downloader
B) Exploit


They could not be heald or removed to vault, so I choose to delete the files,

I then unplugged my pc from my router and done a scan with Windows defender avg and spybot, wich all showed up clean, removed all temp files withen internet options, I reconnected to the internet and changed my warcraft password with an Onscreen Keybord to avoid been keylogged,

Allthough the 3 programs say my pc is clean am I still at risk here of having my warcraft account hacked?

What other steps can i take to ensure Im not at risk anymore, other than changing my Warcraft password.

any help will be much apreciated, as Im a new user on these forums I intend on sticking close by , alot of good information here, Thanks

You should be safe since AVG caught the exploit and trojan.

I would run a scan with a good online scanner or two to make
sure you are clean:

F-secure
http://support.f-secure.com/enu/home/olsbeta.shtml

Kaspersky
http://www.kaspersky.com/virusscanner

Spybot is a good product, but it does not detect as many things
as some products. You may want to try one of these:
All of these have free trials.

AVG Antispyware:
http://www.ewido.net/en/

Counterspy:
http://www.sunbelt-software.com/Home-Home-Office/CounterSpy/

Superantispyware:
http://www.superantispyware.com/

They are still at it omg

http://forums.worldofwarcraft.com/thread.html;jsessionid=082EF20C93DDCE5AB3E74C3C10BC752C?topicId=330915364&sid=1

Thankyou very much Tacktick, using both those free antivirus websites my pc shows up clean, I have used avg for many years now and once again it proved itself usefull My World of warcraft account hasnt been touched,

Glad to know everything is fine.

Some information may help you if ur not onto it yet, these keylogger scamers are smart. and there is quite a number of well geard players who seem to be falling into there trap

I mean how sneeky is this one, Using an already hacked account they post on all Wow realm forums

Guide to movie making and basic effects using

And they gointo quite some detail about making wow movies

linking (DO NOT GOTO ANY OF THE SITES LISTED BELLOW) they may contain Malware

hxxp: // okgame8.com/downloads/movies/movieview.zip
hxxp: // koti.mbnet.fi/daemo/Vegas/ss.JPG
hxxp: // wowvault.ign.com/View.php?vie...s.Detail&id=40

best of luck if they are infected may help you track them down, Well I hope so anyway.

Recently posted on wow forums more from .CN

Is this old or new Malware,

:: DO NOT GOTO THIS LINK CONTAINS MALWARE ::

hxxp: // bc0.cn/watch?v=vRbDhLcGFR8

NB: Only trying to help u guys in the hunt for whoever is behind this.

I herd from a trusted friend in game, that russian sites Sell these keylogging programs , however he would not go further into details about these sites when I confronted him, was gonna let u guys know. (if I found out about such a site)

any risk here?

hxxp://www.thedailyradar.com/rss20.aspx ( i had a peek ) *concernd

interesting

hxxp://www.gtaforums.com/index.php?showtopic=249864&st=40

Old news here but this neat little game links to a russian site wich infects u with a keylogger, I have not taken part in anything here..

First one is a rss news listing.

Second one links to a russian game mod site, but I didnt see anything malicious.

I support this 100%!

It's not fair at all on unsuspecting users to have their account stolen by this idiots and no doubt the whole WoW community will support your efforts to track em' down and make life difficult - Keep up the effort!

More links popped up in the Rogue forums today posing as screenshots from an epic alliance Halaa raid.

Whether this will contain a new version or not, I don't know.

DO NOT CLICK THESE they likely contain malware.