Malware Spreading via Steam Chats, Gains Access to Inventory

roseofbattle

News Room Contributor
Apr 18, 2011
2,306
0
0
Malware Spreading via Steam Chats, Gains Access to Inventory

Be cautious of any URL shortener or else you could be downloading malware from friends and strangers on Steam.

Malware researchers are warning all Steam users to be aware of a .SCR (screensaver) file that appears harmless but will actually steal items from Steam users' inventories.

Security company Malwarebytes [https://blog.malwarebytes.org/fraud-scam/2014/11/rogue-scr-file-links-circulating-in-steam-chat/] said once a computer is infected with the malware, the victim's session ID on Steam and inventory are at risk. In addition, the virus sends further messages to the victim's friends list. The message includes a link to what appears to be a photo. The URL is shortened through bit.ly, with IMG at the start of the full URL and a .SCR extension.

Christopher Boyd of Malwarebytes said, "Just because the name of the file says 'IMG' at the start doesn't mean it's actually an image file. The extension in these cases is the giveaway, and users of Steam should ensure they're not being set up for a harsh lesson in digital shenanigans."

Earlier in the week, Steam users wrote about the malware in the community forums. [http://steamcommunity.com/discussions/forum/12/624074858744872509/]

Bart Blaze, a malware researcher at Panda Security, looked into the matter further [http://bartblaze.blogspot.ro/2014/11/malware-spreading-via-steam-chat.html]. The link leads to a file on Google Drive and immediately downloads the .SCR file, a screensaver file, with a picture of a woman as the icon.

"Note that normally, the Google Drive Viewer application will be shown and this will allow you to download the .scr file," Bart Blaze wrote. "In this case, the string '&confirm=no_antivirus' is added to the link, which means the file will pop-up immediately asking what to do: Run or Save."

If you have downloaded the malware, you should first exit Steam immediately and open Task Manager and locate temp.exe, wrrrrrrrrrrrr.exe, vv.exe, or "a process with a random name, for example 340943.exe."

Scan your computer with the antivirus you use, and then scan again with a different one. After deleting the malware, change your Steam password and any other sites where you use the same password. You can also enable the visibility of file extensions [http://windows.microsoft.com/en-us/windows/show-hide-file-name-extensions#show-hide-file-name-extensions=windows-7].

As always be careful when clicking on shortened URLs, even when sent by a friend.

Source: Bartblaze [https://blog.malwarebytes.org/fraud-scam/2014/11/rogue-scr-file-links-circulating-in-steam-chat/]

Permalink
 

Covarr

PS Thanks
May 29, 2009
1,559
0
0
I've been getting a lot of friend requests from complete strangers lately, in spite of not playing anything on Steam except Half-Life 2 in the last several weeks. I was starting to wonder if I had some abnormally valuable item in my inventory that I didn't know about, but this seems more likely.

P.S. Thanks
 

Worgen

Follower of the Glorious Sun Butt.
Legacy
Apr 1, 2009
15,014
3,880
118
Gender
Whatever, just wash your hands.
Covarr said:
I've been getting a lot of friend requests from complete strangers lately, in spite of not playing anything on Steam except Half-Life 2 in the last several weeks. I was starting to wonder if I had some abnormally valuable item in my inventory that I didn't know about, but this seems more likely.

P.S. Thanks
Well, I don't see anything in your inventory so it might have been cleaned out.
 

flying_whimsy

New member
Dec 2, 2009
1,077
0
0
Ever since they introduced the steam wallet I've been waiting for stuff like this to start happening. With how many millions of dollars passing through steam there's bound to be some efforts to compromise the platform. At least this is something that you can see coming: I fear the day when something piggybacks on an update.
 

cikame

New member
Jun 11, 2008
585
0
0
I try to never click shortened links, i always observe the link address to ensure i'm going somewhere legit.
Be smart, all these link shortening sites did was create a way to hide useful information from you, if the link is not from your most trusted source, ignore it.
 

Dr.Awkward

New member
Mar 27, 2013
692
0
0
Dear Russian//Ukrainian friends: ) does not equal ! in the English language. And in this situation, that kind of mistake really reveals where this originates.

But with this malware and inventory breach, previous gifts and trades that are sketchy, and the Earbud Mafia, Valve really needs to do something about some of its Eastern European abusers. Unfortunately Valve Time applies to when we'll see a proper solution.
 

Covarr

PS Thanks
May 29, 2009
1,559
0
0
Worgen said:
Well, I don't see anything in your inventory so it might have been cleaned out.
Hmm, apparently it's set to private. So it was almost definitely either people attempting to spread malware, people attempting to phish valuable accounts, or people adding randoms to look at inventories, and not people who specifically wanted something I had. Good to know.

P.S. Thanks

P.P.S. If I'd known it was private, I would've changed it forever ago, in case I ever stumble into something worth more than I realize.
 

kailus13

Soon
Mar 3, 2013
4,568
0
0
Is this why I received a friend request from {"unassigned}"?

I'd never open anything with the Steam browser anyway, it's a lot slower than copy?pasting it into firefox and there's no antivirus you can put on it.
 

Skeleon

New member
Nov 2, 2007
5,410
0
0
Well, good thing I keep Steam's functionality to an absolute minimum then, seeing as I already hate it even without malware (unless you count Steam itself, of course).
I'd also appreciate it, if they got around to fixing the receipts at some point.
Man, how I hate having to use it.
 

Redlin5_v1legacy

Better Red than Dead
Aug 5, 2009
48,836
0
0
Even though a seasoned Netizen will see through these easily, throwing up these PSA's is still a necessity. If you have friends on Steam who are... less than aware of malware, you may want to share this with them.
 

FalloutJack

Bah weep grah nah neep ninny bom
Nov 20, 2008
15,489
0
0
Aha! So, the best method to prevent people from getting lured in by spambots on Steam is to...tell everybody on Steam. Wait a minute...

(But seriously, tell people and nip this in the bud.)
 

Rad Party God

Party like it's 2010!
Feb 23, 2010
3,560
0
0
Same as Covarr, I've been getting a lot of friend requests from complete strangers, also I tend to NOT trust private profiles with rabdom names.
 

Rad Party God

Party like it's 2010!
Feb 23, 2010
3,560
0
0
NuclearKangaroo said:
Valve better starts doing something about these scam attempts, this is the second mayor one this year
They did actually, they added a kind of warning message after clicking ANY kind of URL, very annoying for my friends and I, but kind of necessary nowadays.
 

cyber95

New member
Feb 28, 2008
107
0
0
Man, I respond to bots all the time with things like that all the time. My incredible wit is wasted on things that can't appreciate it.
 

CpT_x_Killsteal

Elite Member
Jun 21, 2012
1,519
0
41
https://www.malwarebytes.org/

This is what I use to get rid of the pesky viruses that often slip through AVG. I recommend it to everyone.
 

choren64

New member
Aug 2, 2011
17
0
0
SupahGamuh said:
NuclearKangaroo said:
Valve better starts doing something about these scam attempts, this is the second mayor one this year
They did actually, they added a kind of warning message after clicking ANY kind of URL, very annoying for my friends and I, but kind of necessary nowadays.

Thank goodness too, the warning message actually saved my computer. I got one of these phony messages recently and tried to close it, but my finger slipped and I ended up clicking on the link by accident. Steam managed to warn me about clicking on untrusted URLs before anything began downloading...
 

SomeLameStuff

What type of steak are you?
Apr 26, 2009
4,291
0
0
choren64 said:
Thank goodness too, the warning message actually saved my computer. I got one of these phony messages recently and tried to close it, but my finger slipped and I ended up clicking on the link by accident. Steam managed to warn me about clicking on untrusted URLs before anything began downloading...
Downloading the file should still be safe, you have to run the file for it to do anything. But still, not downloading it is much, much safer.

This popped up on the Dota 2 Reddit a few days ago. I got quite a few "friend requests" myself when I got my hands on a $130 item, all which stopped once I sold it on the Steam Market.