CA Security Advisor Research Blog

It appears that the website pocketpcmag.com has been hijacked. At the time this article is written, webpages for articles dated June 2006 and May 2005 contain JavaScript code that lead to another page and script. The script uses an iFrame to redirect the browser to a website of the .cn domain known to exploit the much publicized ANI vulnerability. "ANI" is the extension used in Microsoft Windows for animated cursors. In the recent days, there has been a surge of exploits targeting a vulnerability in the way Windows handles these files. Through the vulnerability, trojans are dropped on the target machine. As the user launches the Blizzard Entertainment massively multiplayer online game (mmog) World of Warcraft (WoW), the trojans attempt to capture the login information in order to send it to the hackers. CA AntiSpyware detects the trojans that are dropped on the machine as WoW A. CA AntiVirus detects the attempt of animated cursor files to exploit the mentioned vulnerability as Win32/MSA-935423!exploit.

Will computer and console games be the next major target of malware authors? Although it is hard to say for sure, these WoW trojans are a clear indicator that malware authors are no longer motivated by fame and recognition, but rather by financial gain. WoW has a currency called WoW Gold; it is not impossible that hackers would want login credentials to the game just to convert WoW Gold into greenbacks.The CA Security Advisor Team recommends extreme caution when visiting websites, especially if you have World of Warcraft installed on your machine. As always, make sure your operating system is patched, that you are using the latest version of software and that you have an active antivirus and antispyware solution.