Wowhead and other sites are having trouble with ad banner trojans
by Daniel Whitcomb 
Mar 10th 2008 at 3:50PM
You'll want to be a bit more cautious when looking up information on the game today. World of Raids reports that an unknown ad banner appearing on Wowhead, Thottbot, and Allakhazam has an embedded keylogger trojan. You don't even need to click on the banner, apparently, simply mousing over it will be enough. Wowhead says that all they know for sure is that it originates from "ad.yieldmanager.com", and will produce a redirect to "xpantivirus.com." They're working at isolating it.
The issue is known, and all parties involved are tracking it down, so it should hopefully be resolved soon. In the meantime, if you're looking for a quick way to protect yourself, I would follow the recommendation of World of Raids, and try out the Firefox web browser and the No Script extension. As long as you keep the scripts blocked, it should prevent the banner in question from forcing itself on you. This should also provide you with some protection if you accidentally click on the wrong link elsewhere, such as on the WoW general forums.
Edit: Apparently, the virus in question is not an actual keylogger, but it still does a number on your system, which is reason enough to try to avoid it.
Filed under: Bugs, News items
Reader Comments (Page 1 of 3)
stonehead Mar 10th 2008 4:04PM
Or do like the leets do and use www.wowdb.com.
Matthew Mar 10th 2008 4:26PM
Yeah, because Curse is obviously the safest wow-related site on the net.
stevebob Mar 10th 2008 4:39PM
haha! elite what, douche bags?
keyloggers! one thing that curse can claim they had before wowhead legitimately
http://news.curse.com/details/3723/
DiasFlac Mar 10th 2008 4:41PM
I'm just posting here so it's up where people can see it. There are removal instructions for this thing here: http://www.2-spyware.com/remove-xpantivirus.html
It's an easy fix, and your accounts are in no danger. Look it up. It's irresponsible to post a warning like this without explaining what the malware is, what it does, and how to remove it--especially when the information is so easily attainable.
Introit Mar 10th 2008 4:06PM
Figures, I've been all over Thottbot today. Any word on what the banner looked like, or how to remove/detect the keyloggeed?
hmph Mar 10th 2008 7:01PM
Just when curse finished their new wowdb, suddenly ALL the others become infected?
sure...
Milktub Mar 10th 2008 4:14PM
There are people who don't use Firefox with NoScript?
Votum Mar 10th 2008 4:19PM
This.
Also, AdBlock Plus.
Sakerin Mar 10th 2008 4:38PM
The real shame is that these site's don't work unless you unblock them from NoScript. However if you have NoScript and Adblock then you should be able to still run scripts on the site but block ad banners and prevent these drive-by-downloads from infecting your system.
Erika Mar 10th 2008 6:53PM
But if you block the ad.yeild site you should be fine.
Calaana Mar 10th 2008 7:53PM
I have mine set to block everything(I think it's the default setting). I manually unblock wowhead.com, but leave the five other settings in the listing alone. This lets the scripts you want to run(Search, tooltips, etc) do so, but blocks the ads.
Jack Mar 10th 2008 4:15PM
Seems every other day I find another reason to be glad I'm using Opera. Ad blocking for the win!
keltian Mar 10th 2008 4:27PM
Opera has ad blocking? where? I use it all the time and i never knew about this. also yea ill just stick with www.wowdb.com for now and I never mouse over ads.
idomagic Mar 10th 2008 5:33PM
opera ad-blocking: right click anywhere on a site, choose "block content"
Evolve Mar 10th 2008 4:19PM
If you're using Firefox, I might also suggest the add-on "FlashBlock".
It requires you to clock on any flash object in order to view it. I originally got it cause some flash ads can really hog memory, glad I have it now.
You can download it from: https://addons.mozilla.org/en-US/firefox/addon/433.
brimans Mar 10th 2008 4:25PM
Some questions:
1) Does Firefox stop the keylogger by itself, or do you need the NoScript extension as well?
2) How can you tell if you've gotten hit by it?
3) Is Firefox on Linux affected?
4) Do anti-keylogger programs, like SnoopFree Privacy
Shield, which warn when a keylogger initiates, block this?
Tridus Mar 10th 2008 4:53PM
In regards to #1, until someone actually tracks down the ad in question and figures out how its actually infecting people, there's no way to answer that.
I don't know of any active Firefox exploits though, so you're probbaly as safe as you can be as long as you have the most recent version.
Jemhadar Mar 10th 2008 4:30PM
I just love how people push Firefox as the cure for all their security issues...yea, sure.
jbodar Mar 10th 2008 4:41PM
Lemme guess... yours involves Apple-flavored Kool Aid?
Sakerin Mar 10th 2008 4:48PM
A non-IE browser such as Firefox is essential to security on the internet today, however it is not a panacea. I recommend that all internet users (especially ones who visit less-than reputable sites such as Social Networking or *gasp* pornograpy websites) have the following:
-A good (AVG Pro, Trend Micro, Kaspersky) antivirus program preferably including a firewall and antimalware protection
-If not included with the antivirus, good antimalware protection
-Firefox with Adblock and Noscript along with training on how to use the packages
-Latest security updates for their operating system at all times
This may seem like a bit much to a lot of people, so if I can just get them to use Firefox I consider it to be a good starting ground. The fact of the matter is that it is much more secure than IE in that is doesn't install anything that asks (without prompting the user) and does not (without the installation of certain addons) support the atrocity that is Active X.