Thread Tools Display Modes
01-11-08, 03:32 PM   #1
Cairenn
Credendo Vides
 
Cairenn's Avatar
Premium Member
WoWInterface Admin
Join Date: Mar 2004
Posts: 7,134
Another trojan on incgamers' UICentral

It seems that unfortunately, incgamers' UICentral has been compromised again. Shirik downloaded a fresh copy of it from their site today and decompiled it. In the process, he was able to determine that:

(4:07:58 PM) Shirik: So here's the deal. UI Central is packaged with a program "patcher.exe" which has code in it to go download an "update.exe" from a non-incgamers site
(4:08:05 PM) Shirik: update.exe is then immediately run
(4:08:51 PM) Shirik: update.exe proceeds to install itself as wzcsvbc.dll
(4:10:01 PM) Shirik: It installs that from a remote site if possible, and if that fails it will instead use its own copy
(4:10:26 PM) Shirik: It then registers itself with lsass.exe so that it can be resident at every startup while remaining hidden
(4:10:43 PM) Shirik: After all that's complete, update.exe attempts to delete itself and shut down

Now luckily for everyone (in one sense) it is the same one as showed up previously. Therefore, we already know how to get rid of it. From the previous thread about it, here is what you need to do if you believe you may be infected:


What you need to do

If you downloaded UICentral and think you may have been infected, here is what you need to do:

Updated! 12/3/07 12AM CST - ScytheBlade1 has written a batch file to remove all 3 versions of the keylogger. Dolby has verified that this does work.

Download: RemoveKeylogger.zip
(Contains one .bat file and one .reg file)

Download and extract the files to your hard drive (for example, C:\). I wouldn't recommend extracting it to your desktop for simplicity reasons.

Once you've got it downloaded and extracted, reboot into safe mode and then run RemoveKeylogger (the file that looks like a gear). Reboot once more into "normal" mode and the keylogger should be removed. Please follow the steps in the original post to ensure that it is actually gone before you trust your computer.

Once you're clean, go ahead and delete the files (RemoveKeylogger and WZCSVBC).

OR, if you feel more secure doing it manually ....

1) Boot into safe mode

2) Delete the bad files (wzcsvbc.dll, mouse.dll, printfpool.exe)

Start --> run --> cmd.exe

Copy and paste the following lines into the box, one by one:

attrib -H -S %systemroot%\system32\wzcsvbc.dll

attrib -H -S %systemroot%\system32\mouse.dll

attrib -H -S %systemroot%\system32\printfpool.exe

del %systemroot%\system32\wzcsvbc.dll

del %systemroot%\system32\mouse.dll

del %systemroot%\system32\printfpool.exe

sc delete printfpool

exit

3) Fix the registry

Start --> run --> regedit

Navigate to My Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WZCSVC\Parameters

Double-click on "ServiceDLL" and change that value to "%SystemRoot%\System32\wzcsvc.dll" (remove the "b")

4) Reboot

5) Start WoW, and then close it. Do NOT log in.

6) Verify that the bad files don't exist(search your computer for "wzcsvbc.dll" - be sure to search in hidden and system folders)

7) Run a complete anti-virus scan. AntiVir (http://freeav.com) has been known to successfully detect these files.

8) Login to the WoW account management (http://www.worldofwarcraft.com/account/) and change your password.
  • NOTE: VERY FEW ANTIVIRUS PROGRAMS CURRENTLY PICK THIS TROJAN UP. BE SAFE, SCAN YOUR SYSTEM, BUT VERIFY BY HAND THAT THE BAD FILES NO LONGER EXIST.
Rushster has been contacted at incgamers and I've no doubt he is taking the appropriate steps.

Last edited by Cairenn : 01-14-08 at 02:14 PM.
  Reply With Quote
01-11-08, 04:09 PM   #2
Cairenn
Credendo Vides
 
Cairenn's Avatar
Premium Member
WoWInterface Admin
Join Date: Mar 2004
Posts: 7,134
BTW, our awareness of the problem came from this thread on our site which lead to this thread on incgamers' site which led to us downloading a fresh copy of UICentral today and decompiling it.
  Reply With Quote
01-11-08, 04:44 PM   #3
Typh00n
A Deviate Faerie Dragon
 
Typh00n's Avatar
AddOn Author - Click to view addons
Join Date: Sep 2007
Posts: 11
Not again...was hit by this the first time. I am not planning on getting this a second time.
( my account were compromised and chars deleted..so my sympathies for those who has it! )

And good luck fixing it!
  Reply With Quote
01-11-08, 04:57 PM   #4
Cairenn
Credendo Vides
 
Cairenn's Avatar
Premium Member
WoWInterface Admin
Join Date: Mar 2004
Posts: 7,134
It's not us, it's incgamers. We're fine. incgamers is in the process of dealing with it on their site.
__________________
“Do what you feel in your heart to be right — for you’ll be criticized anyway.” ~ Eleanor Roosevelt
~~~~~~~~~~~~~~~~~~~
Co-Founder & Admin: MMOUI
FaceBook Profile, Page, Group
Avatar Image by RaffaeleMarinetti
  Reply With Quote
01-11-08, 04:58 PM   #5
Shirik
Blasphemer!
Premium Member
WoWInterface Super Mod
AddOn Author - Click to view addons
Join Date: Mar 2007
Posts: 818
Originally Posted by Typh00n
Not again...was hit by this the first time. I am not planning on getting this a second time.
( my account were compromised and chars deleted..so my sympathies for those who has it! )

And good luck fixing it!
Again, this is a program hosted at incgamers.com, not wowinterface.com. The only people that should be impacted are those using UI Central from incgamers.com. To the best of our knowledge, there are no vulnerabilities on this site (and trust me, there's been a lot of testing).
__________________
たしかにひとつのじだいがおわるのお
ぼくはこのめでみたよ
だけどつぎがじぶんおばんだってことわ
しりたくなかったんだ
It's my turn next.

Shakespeare liked regexes too!
/(bb|[^b]{2})/
  Reply With Quote
01-11-08, 09:30 PM   #6
jonathon
A Chromatic Dragonspawn
 
jonathon's Avatar
AddOn Author - Click to view addons
Join Date: Aug 2006
Posts: 179
Originally Posted by Shirik
To the best of our knowledge, there are no vulnerabilities on this site (and trust me, there's been a lot of testing).
Glad to hear...
__________________
hackers always learn.. thats why there are security patches.
  Reply With Quote
01-12-08, 05:18 AM   #7
FISKER_Q
ON A BOAT
Join Date: Mar 2005
Posts: 23
Originally Posted by Cairenn
It's not us, it's incgamers. We're fine. incgamers is in the process of dealing with it on their site.
You sure they're not just in the process of telling everyone to sod and get a degree in computer engineering, or have we already been through that step?
  Reply With Quote
01-12-08, 06:48 AM   #8
Typh00n
A Deviate Faerie Dragon
 
Typh00n's Avatar
AddOn Author - Click to view addons
Join Date: Sep 2007
Posts: 11
Yes, i know it isnt here, i did download UICentral at that moment when the last trojan struck. =)
  Reply With Quote
01-13-08, 09:39 AM   #9
tralkar
An Onyxian Warder
 
tralkar's Avatar
Join Date: Jan 2005
Posts: 352
LOL, i told them before about this crap and they tryed to ban me from there site.. #$%^ them.... I'll never down load anything from that site again..
  Reply With Quote
01-13-08, 11:41 AM   #10
ThornyJohn
A Deviate Faerie Dragon
Join Date: Mar 2005
Posts: 12
Hi, just wanted to point out a potentially destructive typo. The original post says:

Once you're clean, go ahead and delete the files (RemoveKeylogger and WZCSVC)

The line should read ...RemoveKeylogger and WZCSVBC.

The file WZCSVBC.DLL is the keylogger, but WZCSVC.DLL is the "Wireless Zero Configuration Service," a part of the Microsoft Windows operating system, and should not be removed.

Just an FYI.
  Reply With Quote
01-13-08, 01:44 PM   #11
Cairenn
Credendo Vides
 
Cairenn's Avatar
Premium Member
WoWInterface Admin
Join Date: Mar 2004
Posts: 7,134
Thanks for the catch ThornyJohn.
__________________
“Do what you feel in your heart to be right — for you’ll be criticized anyway.” ~ Eleanor Roosevelt
~~~~~~~~~~~~~~~~~~~
Co-Founder & Admin: MMOUI
FaceBook Profile, Page, Group
Avatar Image by RaffaeleMarinetti
  Reply With Quote
01-13-08, 05:19 PM   #12
tralkar
An Onyxian Warder
 
tralkar's Avatar
Join Date: Jan 2005
Posts: 352
Funny but, No mention of this Trojan on there site..? that's just #$%&ed up..
  Reply With Quote
01-13-08, 08:03 PM   #13
timinator1
A Defias Bandit
Join Date: Jan 2008
Posts: 2
Hi, I downloaded proximo from that site but not that uicentral updater thing. Does that mean I am ok or should I run that removekeylogger.zip?
  Reply With Quote
01-13-08, 08:15 PM   #14
Shirik
Blasphemer!
Premium Member
WoWInterface Super Mod
AddOn Author - Click to view addons
Join Date: Mar 2007
Posts: 818
Originally Posted by timinator1
Hi, I downloaded proximo from that site but not that uicentral updater thing. Does that mean I am ok or should I run that removekeylogger.zip?
Proximo is just an addon. Assuming it is what I just downloaded, that is, just image files, Lua files, and xml files, there is nothing to be afraid of. I have not found any executable files in the package.

As far as I'm aware the vulnerability was limited to UI Central.
__________________
たしかにひとつのじだいがおわるのお
ぼくはこのめでみたよ
だけどつぎがじぶんおばんだってことわ
しりたくなかったんだ
It's my turn next.

Shakespeare liked regexes too!
/(bb|[^b]{2})/
  Reply With Quote
01-14-08, 04:06 AM   #15
Beladona
A Molten Giant
 
Beladona's Avatar
AddOn Author - Click to view addons
Join Date: Mar 2005
Posts: 539
http://wow.incgamers.com/forums/showthread.php?t=408823
They have confirmed that the trojan was real, but in my own PM to Rushster, he basically commented that he had no intention of posting a news article about it or anything else for that matter. In his words:

Originally Posted by Rushster
We do share your sentiments but were disappointed to see WoWI take such a fervent interest by diving into the forums here and splashing it all over the WoWI news page. This was a matter that was of concern to our community and users of the UIC tool, which we dealt with right away. The scale of the issue is tiny affecting only a few people who grabbed the file in the few hours. We were alerted to this issue before anyone at WoWI jumped in by one of the UIC users and investigations started right away.
I had actually made a post on that thread that I unfortunately don't have a copy of. I had basically called Asteria out for claiming indirectly that wowi was just posting this to make wowui look bad. I was professional about it, and basically pointed out that it is stupid to think that wowi would post a news article just to tarnish their reputation, when we did the same exact thing regarding the Trojan we were hit with. My post was deleted, and Asteria's was allowed to stay, citing that mine was off-topic and had no purpose in that thread. Somehow they felt that his were in fact on-topic....

I usually stay out of politics, and after this I will probably go back to my previous method of simply not using another website at all if I don't agree with the way they do business, but I just have to get this off my chest:

I am so sick and tired of the attitude people have against "other sites". I know full well that comments have been made on all sides, and that they may or may not have been true. In my experience you can ALWAYS find poo to sling if you are looking to sling it. But this is supposed to be a COMMUNITY, and at least for me that signifies users on ALL websites. When someone who downloads their mods from curse comes to me for advise or help on an addon, I don't throw them to the wolves and refuse to help them. The same goes when someone from wowui comes to me. This retarded "my site is better than yours" mantra that some sites seem to hold to needs to stay in the background and NOT become evident in public forums, irc, or any other form of communication that regular users can see. It only fosters ill-will and ultimately makes YOU look bad. I know there will always be competition among site-staffers simply because our sites make money based on the number of visitors and traffic we get. That competition will always be there, but it should not EVER taint our user-base.

If you don't like the way a certain site does business the solution is simple. Don't use them at all! I know this can be hard for regular users sometimes because there may be situations where an addon is available on one site but not the other. But if you have a choice, and you would like to support one site over another, the solution is as simple as using your preferred site for everything you possibly can, and then only use those other sites when you absolutely must. This is how I support one site over another. I don't EVER want to see a wowi poster make comments like the one that Asteria did...

Last edited by Beladona : 01-14-08 at 04:30 AM.
  Reply With Quote
01-14-08, 10:58 AM   #16
Seerah
Fishing Trainer
 
Seerah's Avatar
WoWInterface Super Mod
Featured
Join Date: Oct 2006
Posts: 10,860
Rushter said:
The scale of the issue is tiny affecting only a few people who grabbed the file in the few hours. We were alerted to this issue before anyone at WoWI jumped in by one of the UIC users and investigations started right away.
I am assuming he is referring to the poster from this thread. That poster was alerted to the possibility of a Trojan by me, and sent over to their site to inform them by me. He claims that he was informed before we put a hand in it, but that's not true. If it weren't for me caring, he wouldn't have known at all. And I sent the user over there to post so that it would come from the user, not from one of us.

And that user said they had downloaded it two days before (so, on Jan 8th). They posted on their site on the 10th. Rushter finally agreed that there might be a problem on the 11th. That's not a few people in a couple hours. That's probably a couple hundred over 3 days.

I am deeply sorry for anyone who may be affected by this. As I mentioned on the blizz forums, I would be distraught if Seerah and my other characters were hacked and deleted. I wouldn't wish it on anyone.
__________________
"You'd be surprised how many people violate this simple principle every day of their lives and try to fit square pegs into round holes, ignoring the clear reality that Things Are As They Are." -Benjamin Hoff, The Tao of Pooh

  Reply With Quote
01-23-08, 08:04 PM   #17
Lisa
A Kobold Labourer
Join Date: Jan 2008
Posts: 1
Smile Thank You



Thank you, for the wonderful information. it was a great help to me.
  Reply With Quote
01-23-08, 08:24 PM   #18
Cairenn
Credendo Vides
 
Cairenn's Avatar
Premium Member
WoWInterface Admin
Join Date: Mar 2004
Posts: 7,134
I'm sorry to hear you needed the info in the first place. =/
__________________
“Do what you feel in your heart to be right — for you’ll be criticized anyway.” ~ Eleanor Roosevelt
~~~~~~~~~~~~~~~~~~~
Co-Founder & Admin: MMOUI
FaceBook Profile, Page, Group
Avatar Image by RaffaeleMarinetti
  Reply With Quote
01-27-08, 04:40 AM   #19
mgunnett
A Defias Bandit
Join Date: Apr 2007
Posts: 3
Bleh. I watch communities rot from the core all the time. Sad to see, but it happens. And all it takes is some outside influence like gold farmers to do it....




Yea... so totaly fatalistic and pessimistic. Shoot me =P.

Comments... let's see... Nope. Nothing usefull. Yea, this is prolly classified as spam. But as Cairenn said, Sorry to hear people need this info in the first place. Bloody Gold farmers.
  Reply With Quote

WoWInterface » Site Forums » News » Another trojan on incgamers' UICentral

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off