Thursday, July 9, 2020 - 19:45

Infected again?

    Modified by on Saturday, July 14, 2007 - 22:28

    [edit: made the domain names non-clickable]


    Well, the www-DOT-istaria and community-DOT-istaria sites are trojaned ... again.


    Did you get infected?


    Here are some signs:

    - c:\windows\system32\wins\svhost.exe exists (not svchost.exe)

    - winlogiw.exe exists on your hard drive (this is not winlogin.exe)

    - winogiw.exe exists on your hard drive (this is not winlogin.exe)

    - there are randomly named .exe files in your temp directory (usually C:\Documents and Settings\<your username>\Local Settings\Temp)



    Cleaning up:

    Try using a malware scanner. There are some good free ones, such as

    Avast (resident + on demand)

    AVG Free Edition (resident + on demand)

    Trend Micro Housecall (online, on demand only)


    Make sure to check and make sure those files were removed. Not all scanners detect all malware. Also note that while the presence of the above files indicates an infection, simply removing them does not ensure that you are no longer infected. Use a scanner or reinstall... AND ALWAYS PATCH.



    Now what?

    One of those programs is known to be designed for stealing WoW passwords. If you have a WoW account, change its password once you clean your computer.


    If you have any saved passwords, or typed in any passwords for things like email accounts, online games, financial websites, auction websites, instant messaging and forums, change them. While I can't say for sure that those sort of things are picked up by the trojan as well, it's better to assume that they are, then assume they aren't and get screwed later.


    Changing passwords:

    Make your new passwords DIFFERENT from the (potentially) compromised ones. If your password was 'chiconis1', using 'chiconis2' is pretty dumb. The 'bad guys' know to try those things.


    Make your new passwords HARDER TO GUESS. No dictionary words. You've probably heard this already. Number-letter substitution ('l33t sp33k') to make a dictionary word look like a non-dictionary word is just as bad. They know to try 'dragon' as well as 'dr4g0n' and 'dr4gon'.


    So what do you do then? Make your password at least 8 characters and choose two or more of the following:

    - Use upper and lower case.

    - Use some numbers.

    - Use some symbols.
    Mix alpha-sequences with the above. Don't make a password solely of symbols and especially not solely of numbers!


    Bad password examples: 1485739 !@#$%^%$#! rhzeight

    Better examples: r8Z{igHt z-RelK4) fah^}6U_

    (Don't use any of the examples for your own passwords.)


    Finally, make sure your accounts don't share a password. All it takes is one site to disclose your password, then all the associated accounts can be accessed as well.


    Possible scenario:

    A poorly written forum site will tell you your password if you answer a secret question. A malicious person guesses your secret answer and the site tells them your password.


    The person then logs into the site and looks at your profile, and gets your email address.


    The person then attempts to access your email account using the same password. You were negligent and used the same password, so they can now read your email.


    Your mailbox contains mail from friends (which they can social engineer and get more info from) as well as some auction results and bank statements.


    The person then visits the sites generating those emails and uses the same password to log in. Fortunately, you used a different password. This, however, does not stop them.


    With the mailbox compromised, the attacker uses the 'forgot password' feature on each site to send a recovery password back to the mailbox.



    Don't re-use passwords.



    Further, don't go thinking

    Further, don't go thinking that password fishing is something that "will not happen to me". Very recently, I received a funny email from certain MMO saying I had requested a password change and the mail had been sent to me because I had correctly answered to my secret question... needless to say I had done no such thing and proceeded to ASAP change my secret Q and A. They were "shooting blind" anyway as there's no way to link an account to a particular email, but it pays to be secure on multiple fronts; if one gets breached it won't collapse the whole house of cards.


    Thank you for all of this

    Thank you for all of this info...I am afraid to go home and check my computer ;)



    I'm not sure if my computer was infected by this "trojan". I keep getting the SSL message when trying to log in to the game and my virus software says it successfully removes a "trojan". Being a non-geek (don't know much about computers) I have no idea what is going on and do not feel comfortable making any changes to anything.


    So I will just sit back and watch movies keeping my fingers crossed the game gets fixed eventually.


    Have a great day...(would be better if I could get my fix in game Cry)



    Do not confuse the expired SSL certificate with malware.  I'm not sure what trojan your virus scanner picks up, however, it has nothing to do with the expired SSL cert warning you get when you try to visit the login site.


    A common and simple workaround to the login site is to use the stand alone launcher.  Look in your horizons directory for horizonslauncher.exe and run it.  Depending on how windows is set up, you might not see the ".exe" part. No matter, it's the same program. 


    Good luck! 




    Okay, now I'm confused...


    The reason I thought the two were connected is because I always got the message about the trojan right after trying to access the login page for the game.


    I did some looking around and found the name of what my virus scan was removing: Exploit-ANIfile.c (Trojan) is what I found in the logs. Not sure if it means anything but I had done a manual scan and deleted all cookies and temporary internet files as was recommended by the virus software.


    I also thought I was using the standalone launcher for the game, but perhaps I'm not. I have a shortcut on my desktop that leads to the signon page...


    Thanks for the information.



    [edit: made links unclickable]


    What url are those messages associated with? (horizons.istaria or www. istaria or community.istaria) Those are three different sites. Only the last two are known to be compromised.



    the shortcut on my desktop leads to the first one you have listed...



    Now, that's interesting.  Do you get an SSL certificate expired warning -before- the trojan warning?



    Yes, I was. The message did not display last night (Monday) and as of 5:00 a.m. on Tuesday, July 17, I cannot access anything to do with the game, so no more messages about trojans...