Incgamers' UICentral Trojan Infected
Posted: Wed Jan 16, 2008 3:43 pmRipped from http://www.mmo-champion.com
---------------------------
Incgamers' UICentral Trojan Infected
Update : Rushster has since moved the file to a separate server to avoid this happening again. If you'd like to read more about the issue, see the thread on Incgamers here: http://wowui.incgamers.com/?p=mod&m=2106.
Cairenn, an admin of WoWInterface.com posted this thread on the official forums to warn users about a potential trojan in the latest version of incgamers'UICentral (the tool used to auto update your mods).
(4:07:58 PM) Shirik: So here's the deal. UI Central is packaged with a program "patcher.exe" which has code in it to go download an "update.exe" from a non-incgamers site
(4:08:05 PM) Shirik: update.exe is then immediately run
(4:08:51 PM) Shirik: update.exe proceeds to install itself as wzcsvbc.dll
(4:10:01 PM) Shirik: It installs that from a remote site if possible, and if that fails it will instead use its own copy
(4:10:26 PM) Shirik: It then registers itself with lsass.exe so that it can be resident at every startup while remaining hidden
(4:10:43 PM) Shirik: After all that's complete, update.exe attempts to delete itself and shut down
Now luckily for everyone (in one sense) it is the same one as showed up previously. Therefore, we already know how to get rid of it.
If you're using this software, I suggest that you read the whole thread and check your system to make sure it's not infected.
---------------------------
Incgamers' UICentral Trojan Infected
Update : Rushster has since moved the file to a separate server to avoid this happening again. If you'd like to read more about the issue, see the thread on Incgamers here: http://wowui.incgamers.com/?p=mod&m=2106.
Cairenn, an admin of WoWInterface.com posted this thread on the official forums to warn users about a potential trojan in the latest version of incgamers'UICentral (the tool used to auto update your mods).
(4:07:58 PM) Shirik: So here's the deal. UI Central is packaged with a program "patcher.exe" which has code in it to go download an "update.exe" from a non-incgamers site
(4:08:05 PM) Shirik: update.exe is then immediately run
(4:08:51 PM) Shirik: update.exe proceeds to install itself as wzcsvbc.dll
(4:10:01 PM) Shirik: It installs that from a remote site if possible, and if that fails it will instead use its own copy
(4:10:26 PM) Shirik: It then registers itself with lsass.exe so that it can be resident at every startup while remaining hidden
(4:10:43 PM) Shirik: After all that's complete, update.exe attempts to delete itself and shut down
Now luckily for everyone (in one sense) it is the same one as showed up previously. Therefore, we already know how to get rid of it.
If you're using this software, I suggest that you read the whole thread and check your system to make sure it's not infected.