Blizzard Entertainment is warning World of Warcraft players that they should be on the lookout for what it calls a "dangerous Trojan" that is capable of stealing their account information – even if they are using Blizzard's WoW account authenticator for extra protection.
The company put out a message about this new security threat last night in a forum thread. Blizzard said in its post last night that once a user is infected with the malware, it acts in real time to steal World of Warcraft account information and the authenticator password at the time a subscriber uses them.
Blizzard recommends that users with compromised accounts seek out the Trojan by following these steps:
"It can be identified by creating an MSInfo file and then looking in the Startup Program section of that file for either 'Disker' or 'Disker64.' It will usually appear like this:
Disker rundll32.exe c:\users\name\appdata\local\temp\w_win.dll,dw Name-PC\Name Startup
Disker64 rundll32.exe c:\users\name\appdata\local\temp\w_64.dll,dw Name-PC\Name Startup"
Blizzard is currently investigating the malware but has been unable to find any virus programs that can remove it. They say that the only way to get rid of it at the moment is to reformat your system if you are infected by it. To help Blizzard find a solution, you can reply to the ongoing support thread with the following:
"Your MSInfo. A list of any add-ons you recently installed along with where you got them. A list of any programs you recently installed along with where you got them. Any security programs you have run and their results."