3/4

• In the Lord Marrowgar encounters, the boss will no longer reset threat after a bone storm and will now wait a small amount of time before attacking at the end of a bone storm.
• In the Deathbringer Saurfang encounters, the boss is now less likely to cast Blood Nova on targets affected by Mark of the Fallen Champion.
• In both normal and heroic versions of the 10 player Rotface encounter, the mutated infection ability will not be cast as quickly while the fight progresses.
• In the 10- and 25-player heroic Festergut encounters, the malleable goo ability should no longer target pets.
• In the Valithria Dreamwalker encounters, the duration of Emerald Vigor and Twisted Nightmares were slightly increased.
• In the Sindragosa encounters, the duration of the instability debuff was slightly reduced.

The optional zone buff in the Icecrown Citadel is now available and will make the instance easier for those who wants to use it. The buff currently increases total health, healing done and damage dealt by 5% and this will increase by 5% every week or month., we dont know yet.

• Strength of Wrynn (5%) / Hellscream's Warsong (5%)
• Strength of Wrynn (10%) / Hellscream's Warsong (10%)
• Strength of Wrynn (15%) / Hellscream's Warsong (15%)
• Strength of Wrynn (20%) / Hellscream's Warsong (20%)
• Strength of Wrynn (25%) / Hellscream's Warsong (25%)
• Strength of Wrynn (30%) / Hellscream's Warsong (30%)

Anyone who has an authenticator attached to their account should run a search (and probably an antivirus scan in case it's on the threat list already) immediately and ensure the file emcor.dll does not exist on your computer. This file is one reported to be allowing hackers to access World of Warcraft accounts that have authenticators attached to them. Based on information around, the file may be found in /users/username/appdata/Temp. Since the file is fairly new I urge everyone to not log in to World of Warcraft or the account management site until you've run a scan. Confirm your computer is secure before using your authenticator, because this DLL file is allowing hackers to crack through it and access your account.

A warning sign that you're currently infected with this keylogger is that WoW will say your authentication code is incorrect, even if you know for sure you typed in the correct code.

The filename EMCOR.DLL was first seen on Feb 25 2010:

• Tunisia on Feb 25 2010
• The United Kingdom on Feb 25 2010
• Egypt on Feb 26 2010

To remind everyone, this doesn't make authenticators useless. It just shows that not everything is 100% fail-safe. Hopefully Blizzard can get a patch out soon to help with this.

Blizzard has confirmed this:

After looking into this, it has been escalated, but it is a Man in the Middle attack.
http://en.wikipedia.org/wiki/Man-in-the-middle_attack

This is still perpetrated by key loggers, and no method is always 100% secure.

Some info about the emcor.fll file:

Firewall IP Block

You may be able to block the IP 205.209.181.111 to help prevent your information from reaching the hackers. This is of course something that may change after they find out they've been discovered, but it should offer some temporary help while you get rid of all the files.

The keylogger will send the data to:
Host: 205.209.181.111
Port: 1068

The keylogger data file can be found in /users/username/appdata/Temp along with the DLL
The keylogger sends the "current tick" to the server. Presumably so it can tell how long it has to use the code.

Keylogger Server Details

The keylogger is a standard windows based keylogger which uses SetWindowsHookEx hooking as a debug hook (WH_DEBUG) so it gets first dibbs on typed data (Although for some reason it does pass on the data to other hooks and not block them...)

The data is set to:
Host: 205.209.181.111
Port: 1068

OrgName: Managed Solutions Group, Inc. (Known spamming server)
OrgID: MSG-48
Address: 45535 Northport Loop East
City: Fremont
StateProv: CA
PostalCode: 94538
Country: US

The Source

The distribution server is hosted in Malyasia (server IP: 112.137.162.183).

It hosts 13 other fake sites, 3 of them below:

Cursea.com
Deadlybossmodss.com
Gamesacca.com

Do NOT visit the sites. Aslong you make sure you are visiting the correct websites/adresses and nothing dodgy you are safe.

One of the sources is a fake WoWMatrix website being advertised on Google at the top of search results for WoWMatrix as a "Sponsored Link". I've attached an image below, but DO NOT VISIT THE WEBSITE. Visiting this website -- which is an exact copy of the WoWMatrix site -- lets you download a fake version of the WoWMatrix AddOn Manager which allows emcor.dll to be installed on your system. Google has been alertet.

Once downloaded, this will install the trojan Malware.NSPack which can be detected by Malware Bytes.

Just when it seemed that NetEase had finally gotten things under control to operate World of Warcraft in China, it's hit another potential road bump. The company released an official statement to Chinese press announcing the resignation of project chief Li Riqiang, according to JLM Pacific Epoch, a research firm that focuses on China. The statement did not give a specific explanation for Riqian's departure nor did it name a possible replacement to fill the seemingly important vacancy.

Since taking over World of Warcraft operations in China from The9, NetEase has faced a series of difficulties. It seemed like the company had finally gotten back on track, however, as NetEase was recently approved to run World of Warcraft and the Burning Crusade expansion. It's as yet unclear how Riqian's absence might sour that good fortune.