Blizzard says that PCs with the “Disker” virus may need to reformat to remove it.
Hoping to tip people off to a potential security threat, Blizzard created a posting on the World of Warcraft forums yesterday warning about a newly discovered Trojan program that has apparently been appearing on users’ PCs. “We’ve been receiving reports regarding a dangerous Trojan that is being used to compromise player’s accounts even if they are using an authenticator for protection,” said a Blizzard support forum agent. “The Trojan acts in real time to do this by stealing both your account information and the authenticator password at the time you enter them.”
If users suspect that their account has been compromised, Blizzard suggests they try and track down the Trojan. “It can be identified by creating an MSInfo file and then looking in the Startup Program section of that file for either ‘Disker’ or ‘Disker64,'” said the company. According to Blizzard, it usually bears the following appearance:
Disker rundll32.exe c:usersnameappdatalocaltempw_win.dll,dw Name-PCName Startup
Disker64 rundll32.exe c:usersnameappdatalocaltempw_64.dll,dw Name-PCName Startup
Little else is apparently known about the Disker virus. According to Blizzard, it hasn’t “been able to locate any anti-virus programs that will remove it” and that the only effective method so far seems to be “just reformatting your system.” In turn, it’s asking its customers to report back about their recent activity if they discover they have the virus.
Source: World of Warcraft