In a notice on its webpage, Blizzard said that it was getting numerous reports of the bug. Apparently, the trojan acts in real time by stealing both account information and the authenticator password at the time a user enters them – operating essentially as a keylogger. From there, a hacker can hijack the account.
According to the company’s IT team, the trojan is built into a fake (but working) version of the Curse Client that is downloaded from a spoofed version of the Curse website. The propagation uses classic watering hole/man-in-the-middle (MitM) techniques: the malicious site was popping up in searches for "curse client" on major search engines.
The company was quick to note that the infection is an anomaly: “For those of you interested in these MitM style attacks, this is the only confirmed case we've seen in several years outside of the Configuring/HIMYM Trojan in early 2012 that hit a handful of accounts,” it said. “These sort of outbreaks are annoying, but an Authenticator still protects your account 99% of the time. Stay safe!”
Blizzard was originally unable to locate any anti-virus programs that would remove Disker, requiring users to reformat their systems, but later said that Malwarebytes would do the trick. It also reached out to others with the forensic information, it said, so other programs should soon follow suit. In the meantime, once compromised, gamers should delete the fake Cure Client and then look for the trojan in order to manually remove it, if AV scanning doesn’t work. It can be identified by creating an MSInfo file and then looking in the Startup Program section of that file for either "Disker" or "Disker64."
World of Warcraft has been the target of hackers before, having as it does a large and attractive tech-savvy, online user base, and has even been hit with lawsuits over security. This is the first major issue since a hacker was able to carry out a massive in-game massacre last year.