Wowhead and other sites are having trouble with ad banner trojans
You'll want to be a bit more cautious when looking up information on the game today. World of Raids reports that an unknown ad banner appearing on Wowhead, Thottbot, and Allakhazam has an embedded keylogger trojan. You don't even need to click on the banner, apparently, simply mousing over it will be enough. Wowhead says that all they know for sure is that it originates from "ad.yieldmanager.com", and will produce a redirect to "xpantivirus.com." They're working at isolating it.
The issue is known, and all parties involved are tracking it down, so it should hopefully be resolved soon. In the meantime, if you're looking for a quick way to protect yourself, I would follow the recommendation of World of Raids, and try out the Firefox web browser and the No Script extension. As long as you keep the scripts blocked, it should prevent the banner in question from forcing itself on you. This should also provide you with some protection if you accidentally click on the wrong link elsewhere, such as on the WoW general forums.
Edit: Apparently, the virus in question is not an actual keylogger, but it still does a number on your system, which is reason enough to try to avoid it.
Filed under: Bugs, News items
Reader Comments (Page 1 of 3)
stonehead Mar 10th 2008 4:04PM
Or do like the leets do and use www.wowdb.com.
Matthew Mar 10th 2008 4:26PM
Yeah, because Curse is obviously the safest wow-related site on the net.
stevebob Mar 10th 2008 4:39PM
haha! elite what, douche bags?
keyloggers! one thing that curse can claim they had before wowhead legitimately
http://news.curse.com/details/3723/
DiasFlac Mar 10th 2008 4:41PM
I'm just posting here so it's up where people can see it. There are removal instructions for this thing here: http://www.2-spyware.com/remove-xpantivirus.html
It's an easy fix, and your accounts are in no danger. Look it up. It's irresponsible to post a warning like this without explaining what the malware is, what it does, and how to remove it--especially when the information is so easily attainable.
Introit Mar 10th 2008 4:06PM
Figures, I've been all over Thottbot today. Any word on what the banner looked like, or how to remove/detect the keyloggeed?
Milktub Mar 10th 2008 4:14PM
There are people who don't use Firefox with NoScript?
Votum Mar 10th 2008 4:19PM
This.
Also, AdBlock Plus.
Sakerin Mar 10th 2008 4:38PM
The real shame is that these site's don't work unless you unblock them from NoScript. However if you have NoScript and Adblock then you should be able to still run scripts on the site but block ad banners and prevent these drive-by-downloads from infecting your system.
Erika Mar 10th 2008 6:53PM
But if you block the ad.yeild site you should be fine.
Calaana Mar 10th 2008 7:53PM
I have mine set to block everything(I think it's the default setting). I manually unblock wowhead.com, but leave the five other settings in the listing alone. This lets the scripts you want to run(Search, tooltips, etc) do so, but blocks the ads.
Jack Mar 10th 2008 4:15PM
Seems every other day I find another reason to be glad I'm using Opera. Ad blocking for the win!
keltian Mar 10th 2008 4:27PM
Opera has ad blocking? where? I use it all the time and i never knew about this. also yea ill just stick with www.wowdb.com for now and I never mouse over ads.
idomagic Mar 10th 2008 5:33PM
opera ad-blocking: right click anywhere on a site, choose "block content"
Evolve Mar 10th 2008 4:19PM
If you're using Firefox, I might also suggest the add-on "FlashBlock".
It requires you to clock on any flash object in order to view it. I originally got it cause some flash ads can really hog memory, glad I have it now.
You can download it from: https://addons.mozilla.org/en-US/firefox/addon/433.
brimans Mar 10th 2008 4:25PM
Some questions:
1) Does Firefox stop the keylogger by itself, or do you need the NoScript extension as well?
2) How can you tell if you've gotten hit by it?
3) Is Firefox on Linux affected?
4) Do anti-keylogger programs, like SnoopFree Privacy
Shield, which warn when a keylogger initiates, block this?
Tridus Mar 10th 2008 4:53PM
In regards to #1, until someone actually tracks down the ad in question and figures out how its actually infecting people, there's no way to answer that.
I don't know of any active Firefox exploits though, so you're probbaly as safe as you can be as long as you have the most recent version.
DiasFlac Mar 10th 2008 4:29PM
For the record, a quick Google search shows that this isn't a keylogger. XPantivirus has been popping up all over the net, I get it on hotmail.com a little while ago too.
It gives you a dialog box, warning you your computer is infected with spyware (false), and then redirects you to a new page which tells you it's scanning your system (false). It then attempts to download a Trojan into your computer which sits in the background and tells you that your system is infected with spyware (true) and that the only way to remove it is to send them money for their product (false).
You'll know instantly if it comes up. There are detailed removal instructions here: http://www.2-spyware.com/remove-xpantivirus.html
Don't get me wrong--this is a nasty little piece of work. But your WoW accounts are in no danger, and calling it a "keylogger" is just sensationalism.
Zan Mar 10th 2008 4:41PM
Exactly. Do you have any idea the utter chaos there would be on the web if a banner ad could install a keylogger onto your box without you doing anything more than mousing over it? And if it were possible, why the hell would WoW accounts be the target? lol. I would worry about online banking if that were the case.
Sadly there are plenty of tech-noobs that get suckered into this sort of thing.
Aichon Mar 10th 2008 4:52PM
@ Zan
Stolen WoW accounts are now considered more valuable than stolen credit cards on the black market (I'd link to it, but the old link is dead...WoW Insider covered it a little over a year ago). So yeah, I'd be worried about your WoW account being stolen. Sure, a bank account might be bad as well, but a WoW account is getting up there in value.
Zan Mar 10th 2008 5:37PM
@Aichon
Interesting. Well eitherway, auto-installed keyloggers off of internet banners is not a reality.
Maybe those relatives in Nigiria that died and have a fortune for you will now be re-thinking their phishing campaigns to get you to send them your WoW account info instead lol.