C
Connor_Graham
Guest
Last week I'd asked about additional security measures for changing the password on a UO account in the case an account got hacked in order to stop the hacker from being able to respond to a verification email. In that thread Devil's Own asked me to report what I found if I was able to discover where the virus that was found on my computer came from.
Well....I found it.
It seems this virus actually created a copy of itself because when I discovered it last week, it was immediately quarantined, then deleted from my hard drive. Upon running my weekly full scan of everything on my computer, the virus was found again, back in an EA Games file, linked only to KR this time instead of a copy of it in both clients. When my AV program notified me the program was still present, I went digging through the files on my computer, and found 2 instances of the virus, one that was easy to recognize, and another that sent off all the alarms.
The virus file had the name that coincided with a website I was directed to by a Whispering Rose DJ in order to be able to listen to their station. I won't name the DJ in public, but the site that this DJ directed me to was WRAR dot com. DO NOT go to this site unless you want to spend a few hours digging through your hard drive and running your AV program a couple of times.
When I first found this virus, I was at a loss to figure out where it might have come from, as I rarely go to any sites that I haven't been to before. Once I saw the file name that was the same as the website that the Whispering Rose DJ gave me, it all clicked. It turned out when I went to this site that it did in fact list Whispering Rose as one of the links on the site, along with a few other sites that had nothing to do with UO. I'd thought it strange at first but figured it was just low budget advertising. Since the link didn't actually take me to the radio station, I'm concluding that either the site page itself, or more likely, clicking on this link is what dumped this nasty virus on my computer.
I've spent the past hour or so going through all of my banking and credit card accounts, as well as my UO accounts, and changed all the passwords AGAIN. I didn't get hacked, so the only thing I can figure is:
a) The WRAR site was hacked by someone and a trojan implanted
b) The people responsible for the WRAR site just haven't had time yet to get to my account to hack it and strip it clean.
Either way, I'm very disappointed to discover that this entire matter started with a DJ from UO's own Whispering Rose directing me to a site with a trojan imbedded in it, when in fact the REAL website that you go to in order to listen to the radio station isn't even close to the site I was directed to, which leads me to believe it was done intentionally by this DJ, either acting for his/her own benefit, or for the Benefit of Whispering Rose itself.
Yesterday someone I've known for a very long time in game reported that one of the radio station vendors on Pacific had a vendor with multiple heartwood runics on it in the recent past. Makes me wonder if they still have that account or if it got caught in the recent sting operation.
Anyway, just wanted everyone to know where the virus came from, and that it came from what USED TO BE a trusted member of the UO community.
Not any more.
Edit- It appears the possiblity exists that a DNS bug that misdirected me to the site that dumped this virus on my computer may have been the reason I ended up on that site to begin with. I've been contacted by WRR and they are going to have their tech people look into the site to make sure nothing is there. At this point I'd like to retract the statement that the DJ or WRR itself may have done this intentionally and offer my apologies. I've just been a bit frustrated with finding this virus on my PC yet again, and after staying up very late last night manually going through the files on my hard drive, then up again early this morning ensuring the virus is indeed gone, I'm a bit frazzled this morning.
Well....I found it.
It seems this virus actually created a copy of itself because when I discovered it last week, it was immediately quarantined, then deleted from my hard drive. Upon running my weekly full scan of everything on my computer, the virus was found again, back in an EA Games file, linked only to KR this time instead of a copy of it in both clients. When my AV program notified me the program was still present, I went digging through the files on my computer, and found 2 instances of the virus, one that was easy to recognize, and another that sent off all the alarms.
The virus file had the name that coincided with a website I was directed to by a Whispering Rose DJ in order to be able to listen to their station. I won't name the DJ in public, but the site that this DJ directed me to was WRAR dot com. DO NOT go to this site unless you want to spend a few hours digging through your hard drive and running your AV program a couple of times.
When I first found this virus, I was at a loss to figure out where it might have come from, as I rarely go to any sites that I haven't been to before. Once I saw the file name that was the same as the website that the Whispering Rose DJ gave me, it all clicked. It turned out when I went to this site that it did in fact list Whispering Rose as one of the links on the site, along with a few other sites that had nothing to do with UO. I'd thought it strange at first but figured it was just low budget advertising. Since the link didn't actually take me to the radio station, I'm concluding that either the site page itself, or more likely, clicking on this link is what dumped this nasty virus on my computer.
I've spent the past hour or so going through all of my banking and credit card accounts, as well as my UO accounts, and changed all the passwords AGAIN. I didn't get hacked, so the only thing I can figure is:
a) The WRAR site was hacked by someone and a trojan implanted
b) The people responsible for the WRAR site just haven't had time yet to get to my account to hack it and strip it clean.
Either way, I'm very disappointed to discover that this entire matter started with a DJ from UO's own Whispering Rose directing me to a site with a trojan imbedded in it, when in fact the REAL website that you go to in order to listen to the radio station isn't even close to the site I was directed to, which leads me to believe it was done intentionally by this DJ, either acting for his/her own benefit, or for the Benefit of Whispering Rose itself.
Yesterday someone I've known for a very long time in game reported that one of the radio station vendors on Pacific had a vendor with multiple heartwood runics on it in the recent past. Makes me wonder if they still have that account or if it got caught in the recent sting operation.
Anyway, just wanted everyone to know where the virus came from, and that it came from what USED TO BE a trusted member of the UO community.
Not any more.
Edit- It appears the possiblity exists that a DNS bug that misdirected me to the site that dumped this virus on my computer may have been the reason I ended up on that site to begin with. I've been contacted by WRR and they are going to have their tech people look into the site to make sure nothing is there. At this point I'd like to retract the statement that the DJ or WRR itself may have done this intentionally and offer my apologies. I've just been a bit frustrated with finding this virus on my PC yet again, and after staying up very late last night manually going through the files on my hard drive, then up again early this morning ensuring the virus is indeed gone, I'm a bit frazzled this morning.
oooops, you guys are quick, there it is
