Warcraft Custom Map Virus - Important! - DotA-Blog

Warcraft Custom Map Virus - Important!

Warcraft Custom Map Virus Warcraft Custom Map Virus, a Must Read! There's been a big fuss lately on Battle.net because a new exploit has been circulated amongst hackers. The exploits allows for a custom map to execute arbitrary code on a client and install trojans/viruses/keyloggers outside of the Warcraft III engine. In simple words, by just join an unknown person who host the Warcraft III virus map, your pc will be infected when the game started. And Dota is now become the largest target of this virus. This is not hoax or rumor, Dota-Allstars forums (and Battle.net forums) already stickied this topics. I really recommend that you read this article until finish for your own good.

Hackers created fake Dota maps that use the same file extension/directory as DotA 6.59d. Therefore you will see the loading screen displayed in your custom game list and it is effectively impossible to take precautions against, as it has no discernible difference from joining a normal DotA game. It is highly recommend that you stop playing public dota games until blizzard can patch this exploit. They have already had it brought to their attention.'

For those who doubt how dangerous this is; by mimicing dota, anyone who has already downloaded the legitimate map will see the game displayed in the custom game screen with the proper loading image, and it finishes downloading before you switch to the game lobby screen, as it is a tiny file size. Once you enter the game, the virus will unpack itself and infect your computer, allowing malicious code to be executed at the whim of the hacker. This means a malicious user will be able to grab everyone's cd-keys in a game, plant a keylogger in your computer, any known virus etc.

Props go to Maged@Battle.net forums for bringing this to attention.
http://forums.battle.net/thread.html?topic...58&sid=3000

Don't join games of DotA hosted by people you don't know. This applies to public games, TDA, etc. The best precaution you can take at the moment if you want to continue to play DotA, is to keep your Warcraft III maps folder open, and see if any new files are downloaded when you join a game. If they are, immediately leave the game lobby, before the host can start the game (and infect you), and delete the new map file. If your computer has been infected, you should run the best antivirus software you can find, and Don't log into any accounts on your computer, Warcraft III, email, etc, as there is a high probability of getting your password keylogged. If you are certain your computer is infected, the only surefire way to eliminate it is to reformat your computer.

COMODO is the only known program at the moment to prevent Warcraft from running the malicious code as of now. Every other AV/firewall/anti-malware program other than that does not currently prevent this exploit from being used.
This is what ChildLikEmperor, Dota-Allstars forums moderator, said on his thread. But if you have another AntiVirus that can detect it, feel free to share it here.

Blizzard has been notified about the issue. The safest thing to do at the moment is to not play DotA or any other custom map until Blizzard release new patch. OR, you can carefully choose your host when joining a game even though certain risk is still there. Honestly, i prefer the second choice, because it will be hard to stop playing Dota ~_~

Update:
Thanks for anonymous who give this information.
Name of virus: HackTool.Win32.Sniffer.WpePro.w
Contaminated sites are here:
C:\WINDOWS\TEMP\omfg_wtf.dll

Looks like the virus file is on : \WINDOWS\TEMP\omfg_wtf.dll

Note: Warcraft Patch 1.23 is also vulnerable for this virus!

Related Posts


Read More……

46 comments:

  1. hey why only comodo??!! are they promoting comodo AV??!! it dont make any sense that they are stopping us from playing DotA on the net!!! an anti-virus software or whatever the brand maybe, it always detect a virus eventhough its not in the virus database yet..the game jaz crashes n u cant continue to play anymore..the 6.60 beta 44 is one example, maybe its a new virus or maybe not...so to the one u said that it was a virus, can u give me the name of your anti-virus so i can DL it then scan also the beta 44 6.60 map? tnx...

    ReplyDelete
  2. I'm gonna miss the days when you can just go out and play DotA with no worries. :(

    ReplyDelete
  3. @raz44 - Comodo is the antivirus recommended by the Dota-Allstars Moderator because it
    s already proved to prevent this virus. I believe he didn't have commercial purpose. If you know other antivirus who can detect this virus, feel free to share it here :)

    Thanks for the response.

    ReplyDelete
  4. You might think Dota is one of the #1 games in the world, but actually its also the number #1 hated by 50% of the people who does warcraft. Check hive workshop, almost all the people there hate dota. But I dont blame them nor accuse them. Im just stating facts :)

    ANyways, just to be sure. Always Download from: www.getdota.com
    and if you joined a game, and its not recognized by your warcraft. QUIT ASAP.

    Or Possible, don't play 6.59d or 6.57b versions for now.

    ReplyDelete
  5. Good day. Already got on this thing! Kaspersky quickly responded!
    Name of virus: HackTool.Win32.Sniffer.WpePro.w
    Contaminated sites are here:
    C:\WINDOWS\TEMP\omfg_wtf.dll

    Be careful!!

    ReplyDelete
  6. NOO!!!!!!!!!!
    I'm shocked! Now I can't just sit down in front of my computer and play DotA with this virus.
    OMG! I must be careful....
    WE must be careful!!!!

    ReplyDelete
  7. AVIRA ANTIVIR

    (best free program for 2008)

    one of the best antivirus

    i have this program ... and when i started the map ... the antivirus DETECTED ...!!!

    so... ;) and deleted the virus

    ReplyDelete
  8. This comment has been removed by the author.

    ReplyDelete
  9. Bit defender can do it to.

    When i play, the warning shown.

    And deleted it.

    But it seems the Virus shown again when i play DOTA, Help me...

    ReplyDelete
  10. Hi, my AV programm is NOD32.. it detected it also.

    ReplyDelete
  11. I caught this virus over a year and a half ago its not new only now it's spread.I got it only once and havent goten it again thats why i was surprised when in an faq blizzard said that custom maps maps couldn't be to cary the virus because they were not executables.

    ReplyDelete
  12. Read ppl COMODO isnt the only one to detect its the only one at the time of the mods post that could "prevent Warcraft from running the malicious code" meaning it doesnt infect u and u nvr need to detect it since it nvr gets installed.

    ReplyDelete
  13. I was the one who first wrote here and I detected the Virus with AVIRA Antivir Freeware. It was deleted completely after the map started.

    ReplyDelete
  14. it still doesnt make any sense coz this is not a .exe file..im wondering how this so-called virus works on every pc, its like noob-created virus anyway..it doesnt replicate, it only take passwords and other secured files on hard drives??? if detected, jaz delete it right away..and why on temp folder? maybe its a malware..

    ReplyDelete
  15. so bored 2 wait 4 6.60..heard that it will be released next year...

    WTF!!

    ReplyDelete
  16. Anonymous said...
    so bored 2 wait 4 6.60..heard that it will be released next year...

    WTF!!

    @Anonymous
    Lol, it cant be released next year, its too long..Maybe it'll be released this or next month. but i think it will be released this month :P.

    ReplyDelete
  17. hey can i ask something i dont play at battle net but i do play at GARENA if the host has the virused dota map will i get infected...?? in GARENA of course

    ReplyDelete
  18. If you join a Garena game, and your computer starts downloading the map (you'll see the number next to your name), then that's the virus being downloaded to your computer. If the game starts, the virus is run.
    So... if you see your computer downloading a map that you should already have, immediately leave the host.

    ReplyDelete
  19. WATCH THIS :
    http://warcraftpk.com/Warcraft-1.23b-Patch-Custom-Map-Virus-Important.html

    ReplyDelete
  20. DID YOU COPY HIM OR IS HE COPIES FROM YOU

    ReplyDelete
  21. LOL LINK IS IMBA MUST WATCH :D

    ReplyDelete
  22. T.T why is there virusMay 1, 2009 at 8:57 PM

    OH SHIT THE MAP WAS ALSO IN GARENA MAN I SHOUD STOP PLAYING WC3 FOR A WHILE N PLAY OTHER ONLINE GAME

    ReplyDelete
  23. Well then not many people gonna play these days, but what happen if I HOST A GAME (DOTA)? It will be SAFE right? or there is any other way to be infected?

    ReplyDelete
  24. hello... hapi blogging... have a nice day! just visiting here....

    ReplyDelete
  25. TO PREVENT THIS WITHOUT ANY HASSLES OF CHECKING YOUR MAPS DIRECTORY

    DENY WRITE PERMISSIONS TO THE Warcraft III/maps folder

    use google to find out how to do that

    ReplyDelete
  26. for me, i just won't play dota till its patched
    i play this to kill time
    http://johnfgiggity.mybrute.com
    its pretty fun

    ReplyDelete
  27. I think we can certainly prevent this virus by using a updated antivirus like Kaspersky.

    ReplyDelete
  28. WPE PRO?
    So a packet sniffing trojan. It is used to hack multiplayer games.

    Never thought DotA can be hacked using this.

    ReplyDelete
  29. I think most of you haven't seen the news in the other thread. Beta 45 has been leaked, we're discussing it there.
    https://www.blogger.com/comment.g?postID=6135536141977004311&blogID=8207692519131131689&isPopup=true&page=2

    ReplyDelete
  30. i think that if i host a game there is no chance of beeing infected, is there?

    ReplyDelete
  31. @above - yes, as long you are hosting original map, you are safe :)

    ReplyDelete
  32. argh, i hate that MKB true strike
    earning butterfly means nothing
    too powerful modification i think

    perhaps it is more interesting to add elemental item like, ice guard that nullify any ice effect but weak against fire vice versa

    ReplyDelete
  33. @Suya Lynx

    u'r on a wrong post man...

    ReplyDelete
  34. Here's a hotfix guys:
    http://files.filefront.com/OverflowFixrar/;13717253;/fileinfo.html
    Also you can play in a virutal console such as Sandboxie to stop it harming your PC :D

    ReplyDelete
  35. sorry for thw wrong comment post
    but i am sure that i clicked the post comment link on dota 6.60 beta 45 post

    why did it ended up here?
    that day i post, 6.60 beta 45 is the newest post

    hey alief, does the blog tricked me?

    ReplyDelete
  36. @suya lynx - Um, i'm not sure why. But it's never happen before, so perhaps you accidentally click the wrong link lol ^^ Anywat, i'm still appreciate your comment even though it went to different post, so take it easy :)

    ReplyDelete
  37. ahahah!...
    johnfgiggity is indeed funny!...
    i'm ur student there!...
    ahahah!...

    ahahah!...
    MyBrute rocks!...
    Dota RULEZ!...
    Virus sucks!...

    ReplyDelete
  38. Hi guys,

    I know most of the DotA community is kinda nervous about this latest exploit. To allow you to play with peace of mind until Blizzard's 1.23b patch comes out (and a new DotA map comes out to support the changes), please try my utility, Sentinel. It is a lightweight program that basically monitors your Downloaded maps folder for any changes. If there is a change it plays a warning sound. Then you can leave the host before the game starts, so any malicious code isn't executed.

    Please read the full thread at:
    http://www.playdota.com/forums/showthread.php?t=6482

    I have also posted the original source code, so you can be sure this is not a virus of its own.

    ReplyDelete
  39. Is it safe to play yet?

    ReplyDelete
  40. It was extremely interesting for me to read this article. Thanx for it. I like such themes and anything connected to this matter. I would like to read more on that blog soon.

    ReplyDelete
  41. o hey geniuses its the exploit not a virus .. and there is no cure. its any game that was compiled with jass script compiler engine. alls u have to do is some string hops to convert it into the local machines os commands. from their whatever text files you have the power to shove in plai english can be put there. any virus from that point is possible. and no your antivirus cant do shit about it if the know how to use an obfuscator. the major point for this if it was usefull id say u could make a rat or an autohotkey exe download eand execute on their side. so that u could spoof to the game host creators name .. disable their anti cheat . logically this should be rated critical ++ on each and every antivirus site. DO YOU REALIZE HOW MANY GOVERMENT AGENTS PLAY WC3 BEHIND TOP SECUIRTY WALLS!

    anyways. once i figure out the script kiddie method of how to convert to dos (or linux ) commands... ill be lord of the wc3 server im on...

    would u like a ban cookie?

    ReplyDelete
  42. Opportunities for hackers to harvest money from gamers user account user ID and password by using the malicious map. It's perfect ground for robbery ;)

    ReplyDelete