What we believe has happened, and please take this with the appropriate grain of salt, is that Fraps had a modified version of SpyLocked in it, which installed the Trojan.Crypt.FKM.Gen into Microsoft Net Meeting, which was then started silently when Windows rebooted. When the users logged into WoW, their passwords were key logged and twelve hours later several level 70 characters, including many bank alts, were deleted. It should be noted that it is possible that SpyLocked was installed into Fraps via a malicious email, however that is unlikely. We can also not verify where Fraps was downloaded, however it was almost assuredly downloaded from the official site.
This is evident in the logs of the virus scanner, which show both Fraps and Net Meeting as having viruses. Further, SpyLocked has been known to install further malicious programs on a computer. Finally, all of this has been confirmed via extensive interviews with the hacked subjects.
What can you do to prevent this from happening?
- Change your password, now!
- When you're at home, run a complete virus scan. Do not sign in to WoW until you've done so.
Most of all it's important that you, our readers, stay safe. Take a minute to change your password now.
Update 11:21 p.m. April 30th: I've been in contact with Beepa, the makers of Fraps, and they assure me that the official downloads from fraps.com are perfectly fine.
Virus scan readout:
[DETECTION] Contains detection pattern of the Phish-File/Email PHISH/FraudTool.SpyLocked.J
[DETECTION] Is the Trojan horse TR/Crypt.FKM.Gen