Hi there,
today, Kasperky has reacted to a trojan in my Warcraft III folder:
Type : Trojaner
Name : Trojan-Banker.Win32.CliptoShuffler.bqd
Object Name: ClientSdkMDNSHost.exe
Seem to also have been related to CompatTelRunner.exe
Does anyone know what this “ClientSdkMDNSHost.exe” is and if it’s part of the normal Warcraft III files?
Kaspersky says it deleted this files from the folder within Waracft III: retail\x86_64
That’s not part of the currently support client, and not part of the download from our website.
If you downloaded or obtained your client from somewhere else then it may contain files from the source that are not part of the original, as you cannot obtain the “Classic” client from Blizzard directly you’d need to contact your distributor.
We don’t support people who are running the “Warcraft 3 Classic” client which no longer is patched or accessible. Instead WC3 is accessed through the Reforged Client.
Same here, happened right after it updated.
“That’s not part of the currently support client” Ok? It literally came with the update to the game though. This is not the “Warcraft 3 Classic” client, this is from warcraft 3 through the battle.net launcher
Do you have the exact file extension location for the “trojan”?
It seems this could be a false positive, but would still want to confirm some more information.
C:\Program Files (x86)\Warcraft III_retail_\x86_64\ClientSdkMDNSHost.exe;Trojan-Banker.Win32.CliptoShuffler.bqd;Trojaner;12/25/2020 15:12:55
Most likely a false positive, virustotal only showed kaspersky detecting the file as a virus when I checked yesterday
Hey I’ve had the same problems. Got me scared quite a bit. I would like to add to Ixthocaesil’s first remark that it isn’t a part of the instal procedure. I’m afraid that it is it is. I already thought it would be a false positive so I reinstalled Warcraft III and it reinstalled the file and kaspersky flagged it again and deleted it.
I reinstalled it by going to my account via the battle.net launcher and downloading the installer from the owned games account page. That’s the reforged installer I think. I didn’t reinstall it via the battle.net client directly as I don’t own the updated version. You have to go to the blizzard account page and seperatly download the installer then.
To add to the details my Kaspersky also noted that it was accessed via the programme Agent.exe, this is located in the place, C:\ProgramData\Battle.net\Agent\Agent.7269. I don’t know if this is relevant but maybe it helps.
Would be great to get a blizzard response to easy our worries. Its probably a false positive but would be nice to have that confirmed
In the first case, we were also going on the original poster’s description of a “classic” client that could be corrupted, or have been downloaded through a third party.
Checking further into this (with some other people) it is a false positive for ClientSdkMDNSHost. It’s quite common when sections of the game are updated for Antivirus engines to detect it as a virus until they are updated.
You should at least report this to Kaspersky as there’s nothing we can do about their detection systems.
Thanks for checking again.
I would still like you not to “suggest” things people didn’t do when replying.
In fact, I did download the client from the Blizzard page and not from a “3rd party source”.
What I still find strange is that I didn’t start any update or downloads - the folder is like it is since years on my HDD. The only strange thing is that it wasn’t related to “agent.exe”, but to “CompatTelRunner.exe”.
I guess it was a false positive, thanks to the community for the help and think of not being so rude to your customers Mr. Ixhocaesil.
Just to note the legacy installers are still hosted by Blizzard:
Hey to follow up on this topic. Kaspersky’s been informed (not by me). And confirmed it to be a false positive. I can’t post the link but its on the Kaspersky’s forum with an employee reaction. Topic titled: “Trojan-Banker Как себя обезопасить? [MOVED]”. Its in russian which I can’t read so I ran it through google translate.