Skip to content

Malware that gets around the Authenticator

I normally don’t do service announcements like this but I thought this one might be worth mentioning.

As I’m sure most of you know, the Blizzard Authenticator is one of the best ways to protect your WoW account. Now a malware has come into view that manages to bypass it. Rilgon has a great summary of what it does and how to prevent/get rid of it.

Now before anyone begins panicking, remember this: nothing is perfectly secure. A computer that’s completely free of malware is a computer that’s not hooked up to the internet. And that’s not taking into account files you transfer to it that might be infected.

The authenticator is STILL one of the best ways to help keep your account secure.

Even if you do have an authenticator, you should still practice safe computer techniques to keep your computer clean. Be careful when you’re typing in the address of your favorite WoW-related site. Keep your anti-virus and anti-spyware programs up-to-date and scan with them regularly. Don’t click suspicious links and so on.

There is no need to chuck your authenticator out the door or wrap your PC in tinfoil. Just watch what you do and what’s happening on your computer. Follow Rilgon’s suggestions. If you think that it’s a waste of time, just think of how many hundreds of hours you spend having fun on WoW and weigh it against the handful of minutes it would take to initiate a scan on your computer. Well worth it, in my humble opinion.

Edit: As Rilgon mentioned, MalwareBytes appears to find and kill this malware. From this post on the WoW forums, it looks like that the culprit, emcor.dll, also registers itself in your startup list of programs. Having said that, there are numerous programs that show you what programs are in your startup, including CCleaner. The ever-popular Spybot has an optional resident scanner called TeaTimer that watches your startup list. The program Winpatrol has a feature that does the same thing. HijackThis! also logs this activity. In theory, it should help block emcor.dll’s attempts to start itself up, letting you know that your computer is infected. All of these programs are free and there’s no reason to have at least one of them on your computer. One of the reported symptoms of this malware is a “memory access violation critical error” so be on the watch for it.

Edit 2: More info can be found at World of Raids (along with a list of possible sources) and Bamboobix, an unofficial tech support group for WoW who also have a guide on how keeping your account safe.