Tobold's Blog
Sunday, September 24, 2006
World of Warcraft keylogger problem

There has been a recent spate of trojan keylogger activity directed against players of World of Warcraft. Trojans have been hidden in World of Warcraft related files and websites, for examples in the file of a raid addon named KHT Threatmeter on the Curse Gaming addon website. With the help of the trojan keylogger the hackers gained access to WoW account names and passwords. Then they stripped the characters of all valuables, disenchanted the epics into Nexus crystals, sent everything to another account from where the goods were sold and ultimately converted into real dollars, and left the original owner of the account standing naked. It got so bad that even Blizzard started warning people of keylogger scams, but their warnings were rather general and obscure. So here are some more useful tips to avoid getting robbed like that:

If you want to know whether you are infected, open you Windows task manager and check for a running process names svch0st.exe (note the zero where an o should be). Of course there could be other keyloggers using other process names, but the svch0st.exe one is the currently most abundant. If you find such a trojan, you best use some anti-virus software to remove it. Otherwise you'll need to use regedit to remove the references to svch0st.exe by hand, which is more difficult.

The easiest protection against any keylogger scam is to never type you account name. That is easy, because World of Warcraft has a useful "Remember Account Name" checkbox on the login page, and as long as you don't run several accounts on the same computer, you only need to type in your account name once, and then never again. A keylogger can't gather information you don't type. Thus a similar trick is to create a text file on your desktop with you password in it, and using copy and paste to enter the password, again invisible to keyloggers.

Blizzard claims that starting the game using the launcher (which is the default way) is safer than starting the WoW.exe file directly. That is possible, but I couldn't verify what exactly the launcher was doing to make you more safe.

Of course having an up to date anti-virus program helps. Unfortunately these have the annoying habit of starting an automatic update or virus check while you are in the middle of a raid in World of Warcraft, slowing you down to a crawl, so many WoW players have them switched off, me included. But that might be a bit foolhardy.

Hey, let's be careful out there.
Hello, I didn't comment you blog earlier, but I read it for a while, very well writen and interesting for wow players.
I can say a little more about that keylogger - I had it two times in my system, text which I put below, is my message from my realm keylogger topic.

"... I share my discoveries with you mates, maybe it'll helps someone.
Technical information:
keylogger is a kind of specialized version of "binghe" keylogger - difference from his older brother is important for us - it is prepared to steal Wow password only. It's a little different from original version of trojan - unfortunatelly it's unrecognized by avirus programs which I checked (kaspersky, avast, mksvir), kaspersky found dropper only (part which is responsible for instaling running instance in system XP), not working instance.

Each time when my computer was infected it installed with different name - first time it was us "svh0st.exe" (number 0, no letter o - svhost.exe with letter is normal system service! ), second time as NTDETECT.EXE. About method of injection in system I will write a little later, important information is that dropper (first instance of trojan in system is always in the same place, with the same name - at
"C:\Documents and Settings\YOUR ACCOUNT NAME\Local settings\Temp\". Length of trojan - 24576
Runing instance of trojan was in different locations - C:\Windows\system32\ and second time C:\Windows\

The most important information for everyone - how it inject in system, how protect XP and how could you fastly check your system in situation when anti-virus applications doesn't recognize it too well.

the method of injection - keylogger is using a rather old but still very dangerous exploit of IE - jpeg and GDI.dll weakness. By preparing special "jpg" file (it isn't real jpg file - it's special executable file with extension JPG) and putting it on www site (for now I almost sure that this file is put on one of biggest addon sites database - the horrible thing is that owner of site probably didn't know even about that fact, for user with patched XP system it's just one "broken" screenshot, for unpatched system looking for that site means infection.

Method of checking system - first thing - check
"C:\Documents and Settings\YOUR ACCOUNT NAME\Local settings\Temp\" directory - if there is any com executable file, specially with 24576 length - it should be very seriously warning for you.

For version of keyloggers which I had chance to check, inside file was few characteristics strings - you can use it to searching through all files in two directories "C:\Documents and Settings\" and "C:\Windows\"
- look for files with binghe_WOW string inside - If you find it - be aware.

Second method, a little weird, but still helpfull and working rather good - try run WoW at window mode (maximized or smaller one - doesn't matter). Keylogger catch some keys, combination Alt-TAB which is normally used to switch tasks and in normal system works with WoW without problem, in infected system doesn't work anymore.

Protection - good firewall with file mode protection (which giving information about process which try to connect with someone), patched IE (all security patches for XP is the most important thing) and, last but not least - don't using IE anymore.

Please remember that my information is correct for instance of trojan which I catched, next version of that application could work different way, has differnt size, but if you protect your system against JPG exploit - your computers should be much more safe.

Good luck and to next meeting at Azeroth world (-;
Never think it could not get to you.

This little devil got onto the Machine of one Player in our Raiding alliance and now it even catched one of our Guild officers. (he lost all he had on 6!!! Lvl 60 Chars including a near full Tier1 Priest.)

He also found out what hit him after a day of investigation, i will copy his post on our site for your info.

***copy from our Website**

I got a mail that my account is locked now:


We are sending you this email to inform you that we have, unfortunately, had to
suspend your World of Warcraft account:

Account name: *********
Type of violation: unauthorised Access
Consequences for account: account suspended until account ownership verified

We are suspending this account’s access to the World of Warcraft servers until
such time as the ownership of the account can be verified. To verify ownership, you
will need to contact and supply all of the following

CD Key: located in your World of Warcraft box.
Account name: the account name you are using.
Name: the full name that the account was created with.
Address: the address information given when the account was created.
Zip/Postal Code: the zip/postal code that was given when the account was created.
Your secret question and answer.

Please note that, without all of the information that has been requested, we cannot
remove the suspension on this account. If you wish to review our current Rules and
Polices, they can be found at:

Further enquiries regarding your account status, should be directed to:

Please do not reply to this email as you will receive an automated response.


English Game Master Team
Blizzard Entertainment Europe

I found the source that logged my key.
It was in a file named 001.jpg.gif, i had to install another antivirusprogram to find it. It was a trojan virus with the name: PSW.Generic2.ILK and i think it came from a popup that i got from
I read on this page they installed a new virusscanner there on Saterday 23/09, so it must have been there b4 that date!!
So if you been there at any time Scan your PC ('s).
Dont think it cant happen to you, because it happened to me!!
I am hoping they can get all my stuff back, if they dont ill quit WoW 4 sure.

**End of Copy**

This guy is working for a computer helpdesk, so he knows a bit about computers.
Got a long time player in my guild, both of his accounts. One was restored, completely naked, the other they are refusing to restore for reasons he hasn't related.

Reading up on this keylogger, you have to be amazed at the complexity this creep has programmed. It dodges most AV programs, spyware detectors, and other such stuff. Dangerous person there.
not much dodges Ewido.

It's also wise to either run as a non-admin or use something like FireFox with the NoScript! add-on to block Javascript and Java.
KLHThreatMeter is an WoW addon, which is written in LUA. How on earth could a LUA script contain keylogger, as they are only initiated after you enter WoW game. And about anonymous's comment, there isn't a single images files from KTM, so how is this 001.jpg.gif nonsense came from?
I run a computer business and play WoW. Since some people are familiar with what I do for a living, they have come to me for help in removing the keyloggers from their machines. I have helped several individuals to the extent of knowing them on a first name basis with telephone calls to rid their computers of these pests.

But one thing I would like to note here that hasn't been very forthcoming is the fact that ALL of the people I've aided in removing the malware, have admitted to buying gold.

Now I don't care if you do buy gold and I'm not going to "bust" any of you. But let's face it. This is the #1 way this malware is infecting your computer and it's NOT via jpg's or addons. The gold sites you are visiting and the email correspondence you are engaging in with them is set up to purposely infect your computer.

So buyer beware. These gold-resellers have no intention of actually selling you gold cheap. Their intention is to get your money and infect your computer, then take BACK that money and then some, after accessing your account.

Make no mistake about it. Of the 50 odd computers I've rid of about 10 different variations of svch0st.exe, schost.exe, psw-wow, etc., were NOT from addons or jpg files, but rather, from customers buying gold from sites where you MUST enter information into a script that installs the malware.

My Lord people! If you want 250gold a day, here's a tip: One day at Hearthglen or Tyr's Hand will give that to you. ONE DAY! I do it all the time. Or do the Fallen Hero quest chain and grab yourself an easy 60g. I just can't understand why you would do this to yourselves for a measley 200g these people are going to take back in the end anyhow.
First off, opening task manager and looking to see if svch0st.exe exists does not mean you are clean or infected. Whether this name is abundant or not, this just simply isn't a reliable method of detection. Porgrammers can name an executable anything they want, and they can even change the name and file path the infected file resides in on each start up.

Second, if you are actually infected with a Password Stealer then using "some anti-virus software" isn't going to do a damn thing for you. If the software your using isn't up to date with the latest definitions, your out of luck. Also, if the software company isn't even aware of the "virus" it won't be detected. Plain and simple.

In your BLOG you go on to state.. "The easiest protection against any keylogger scam is to never type you account name."

I got one API call for you buddy it's called GetWinText. Leave your name in the textbox and it can be extracted with 1 line of code.

Then you even go on to say..

"A keylogger can't gather information you don't type. Thus a similar trick is to create a text file on your desktop with you password in it, and using copy and paste to enter the password, again invisible to keyloggers."

"again invisible to keyloggers" ????????

LMAO!!!!!! Are you on drugs?... you couldn't be further from reality with this statement. A password stealer CAN and WILL pull data from your clipboard in Windows. Again, 1 line of code. Copy and paste is NOT an effective way to defeat a password stealer. Sorry buddy.

Learn to program, learn how these programs are written, and then comment on the subject. You've done yourself no justice posting on a topic that you have no higher level of education of.

When you have time read up on LowLevelKeyboardProc, SetWindowsHookEx, GetWinText,and Clipboard.GetText. Then go install a firewall ( (FREE)) with your virus scanner and quit using/downloading every stupid little thing you find to use as an addon, cheat, hack, or update to WOW.

That goes for the rest of you n00bs reading this too.

If you get your toons ganked, its your own stupidity.
This keylogging crap happened to my brother, level 60 paladin. He lost a lot of his gold and armor, I won't go into too much detail but it was brutal. We still are puzzled how he picked up the virus, probably just a site he didn't mean to visit, fake download, who knows? Everyone thinks the same thing - Won't happen to me - well it sure happened to us, and a few others that we know.
And don't think that looking around for that one file makes you completely safe! Often these programs are hidden and can't be seen with one quick overlook. The program we found was called Alexa. Does the same thing as most Trojan Horses and stuff like that. This program is very common. I even found it on my computer, but deleted it before any harm was done to my characters.
If the keylogger has not changed your password, you can change it without them knowing. Disconnect your Internet connection ( they cant see anything when you arent connected ) Type in your password and stuff, then connect it back and enter it.
Oh, and Norton anti-virus doesn't do a thing about Spyware. They are totally different things. So don't assume you're safe because you have Norton! You need to have Ad-Aware to be safe. I usually run a scan every 1-2 days. ( Don't confuse ad-aware with ad-ware, ad-ware is just crap that looks like a virus scan.)
Other than that, ummm, lets see. DON'T BUY GOLD! Thats the biggest problem. And NO POWERLEVELING! Come on people!! Here you go, the password to my account! Play as much as you like! *rolls eyes*If you buy powerleveling and then cry to Blizzard when you get hacked its not gonna look good when you say you're being hacked by a powerleveler. Also watch which Mods you download, I play with none just to be safe.
So get Ad-Aware, don't buy gold, and Good Luck!
Hey guys,
Same thing happened to me - account raided, by a keylogger. Took my gold and emptied my bank'n'bagz.
Curiously enough they auctioned some of the stuff, including my bags, and bought me some 10 slotters. They also thankfully left the gear i was wearing so i wasnt naked.
Anyway i can't kill the keylogger. I ve tried multiple scanners, some pick it up but its never dead- i found and deleted that 24K file, did that kill it? Pretty annoyed right now
My son was hit with this problem two days ago and was able to report the problem within 30mins of it happening. However, after 12hours or so of investigating WoW responded by banning my sons account and replying back that it was our fault and that it is our response ability and ours alone to keep this from happening and that the account was closed permanently.

He had more than 3 lvl 65 toons on that account.
First of all thanks for all the help you guys could spare on this forum, really helps alot to get it cut out in papir for some off us "none" brainiacs.
Second of all, stop pissin about and start a war in here with your:
"GetWinText" and "API" stuff, how about workin together and solve some problems?
what do you guys think about the in game spaming?? is it possible to obtain a keylogger from deleteing these from you mail, or from recieving spam from other players? (you know the ones, they spam the channels, for 3 min then loggoff and delete the toon)

I was hacked twice within a week!! after the first time, i had my account refunded and reissued to me and got all my stuff back. Then 3days later I got hit again. In between I used 3 dif virus scans, deleted UI mods, and everything came up clean. then got hit again. lost all that was given back to me by the GM's, including my flying mount. This hacker was really malicious.

Im still waiting to find out if i get my stuff back this time. :( guess its time to reformat the hard drive again to make sure I nail the darn keylogger.
Remember Accountname doesn't make you safe. Some keyloggers have the option to Screenshot every singel mouseclick!
Ok, I have this problem with WoW. Every time i log on to the game it logs me off and then a pop up comes up saying we found a critical error in this file. Then after u say ok it says "type what u were doin when this happened. im tired of doing that. does anyone have any clue how i can start playing again?
Virusscanner slowing down WoW? Meh not any more. Dual-Core does have its advantages.
First off. Let my introduce myself. I've been a software programmer since I was 10 years old. I've been programming for nearly 30 years now. I have a Bachelor of Science in Computer Science. I've worked on legitimate programs designed to gather information from all sorts of programs. I know the APIs that were mentioned above. I know how to hook into threads running in other programs and gather information from other windows. I'm not the only one who knows how this code can be written.

You want some advice? If you even suspect you have been infected with malware, reformat. Backup your data and reformat your system. After you have reformatted your system, install all the security updates. Once you've done that. Change all your online passwords to all your online accounts. If you want to be really secure, notify the admins and get a new account name for every account you have. Most online games will not allow you to do such, but maybe some of the financial institutions will.

*I have never written a virus, but I've read about how they work. If someone has code running on your system that they can communicate with over the internet (this can be any outbound or inbound connection from or to your PC) they can do a lot more than just steal your usernames and passwords. They can install more software, delete personal files, send illicit emails using your computer; They can even host porn sites on your computer and steal your bandwidth to stream dirty videos.

Don't take this stuff lightly; identity theft is on the rise. Learn how to be street smart on the internet. Identity theft isn't just stealing financial information. Any time someone logs on to any account that is yours, you have had your identity stolen.
This is all very good advice on how to NOT get infected in the first place. However, other than reformatting the drive(s), I see nothing in this entire thred regarding how to get rid of a keylogger trojan once you know you're infected. Ho about some step by step instructions on doing this?
Try installing and keeping up to date anti-malware programs as well as an active virus scan.

I suggest MBAM (malware bytes anti malware)

Spybot S&D (Immunize is good. Teatimer is for more experienced users)

Antivir (Antivirus, freeware its decent)

Hope it helps.
Post a Comment

Links to this post:

Create a Link

<< Home
Newer›  ‹Older

  Powered by Blogger   Free Page Rank Tool