Here's what you must do to remove the threat from your computer

Jan 4, 2014 09:06 GMT  ·  By

On Friday, Blizzard started warning World of Warcraft (WoW) players regarding a Trojan designed to hijack accounts. Initially, little was known about the threat.

It turns out that the malware is disguised as a Curse client served on a fake Curse website. Many players have installed the malicious client because the fake site shows up in search engine results for “curse client.”

WoW players can check to see if their computers are infected by creating an MSInfo file and checking the Startup Program section for an entry called “Disker” or “Disker64.”

In case your computer is infected, the easiest way to remove the Trojan is by deleting the fake client and scanning your device with an updated antivirus (Malwarebytes is recommended, but others should detect it as well).

Tech savvy users can try the manual removal method described on the support forums. The manual method involves downloading third-party tools such as Autoruns, ProcessExplorer and SUPERAntiSpyware.

If you fear that your account has been compromised, change your password immediately. You can determine if it has been hijacked by checking the personal information in the account.

If it’s changed, the account is likely compromised. Additional details on what to do in case your WoW account has been hacked can be found on the special security page provided by Blizzard.

WoW players are advised to download the client only from the official Curse website or from trusted sources. Just because a website shows up among the first results in a Google search doesn’t necessarily mean it’s safe. Cybercriminals can use blackhat SEO techniques to promote their malicious sites.

Furthermore, Blizzard recommends the use of the Battle.net Authenticator, which should protect players in most scenarios.