The Trojan that compromised World of Warcraft and Battle.net accounts stems from a fake version of the Curse Client, Blizzard discovered today. Shortly after warning players of the Trojan which could steal both a player's account information and authenticator password, Blizzard discovered the source of the problem.
"The trojan is built into a fake (but working) version of the Curse Client that is downloaded from a fake version of the Curse Website," Blizzard updated players. "This site was popping up in searches for "curse client" on major search engines, which is how people were lured into going there."
The easiest way to remove the Trojan, according to Blizzard, is to just delete the fake Curse Client and run scans from an updated Malwarebytes. Should you still have issues, Blizzard recommends removing it manually. And for those of you who were compromised, follow the security instructions on Battle.net.
Despite the attacks, Blizzard assures that the Authenticator still protects your account "99% of the time."