Malware Spreading via Steam Chats, Gains Access to Inventory

roseofbattle

News Room Contributor
Apr 18, 2011
2,306
0
0
Malware Spreading via Steam Chats, Gains Access to Inventory

Be cautious of any URL shortener or else you could be downloading malware from friends and strangers on Steam.

Malware researchers are warning all Steam users to be aware of a .SCR (screensaver) file that appears harmless but will actually steal items from Steam users' inventories.

Security company Malwarebytes [https://blog.malwarebytes.org/fraud-scam/2014/11/rogue-scr-file-links-circulating-in-steam-chat/] said once a computer is infected with the malware, the victim's session ID on Steam and inventory are at risk. In addition, the virus sends further messages to the victim's friends list. The message includes a link to what appears to be a photo. The URL is shortened through bit.ly, with IMG at the start of the full URL and a .SCR extension.

Christopher Boyd of Malwarebytes said, "Just because the name of the file says 'IMG' at the start doesn't mean it's actually an image file. The extension in these cases is the giveaway, and users of Steam should ensure they're not being set up for a harsh lesson in digital shenanigans."

Earlier in the week, Steam users wrote about the malware in the community forums. [http://steamcommunity.com/discussions/forum/12/624074858744872509/]

Bart Blaze, a malware researcher at Panda Security, looked into the matter further [http://bartblaze.blogspot.ro/2014/11/malware-spreading-via-steam-chat.html]. The link leads to a file on Google Drive and immediately downloads the .SCR file, a screensaver file, with a picture of a woman as the icon.

"Note that normally, the Google Drive Viewer application will be shown and this will allow you to download the .scr file," Bart Blaze wrote. "In this case, the string '&confirm=no_antivirus' is added to the link, which means the file will pop-up immediately asking what to do: Run or Save."

If you have downloaded the malware, you should first exit Steam immediately and open Task Manager and locate temp.exe, wrrrrrrrrrrrr.exe, vv.exe, or "a process with a random name, for example 340943.exe."

Scan your computer with the antivirus you use, and then scan again with a different one. After deleting the malware, change your Steam password and any other sites where you use the same password. You can also enable the visibility of file extensions [http://windows.microsoft.com/en-us/windows/show-hide-file-name-extensions#show-hide-file-name-extensions=windows-7].

As always be careful when clicking on shortened URLs, even when sent by a friend.

Source: Bartblaze [https://blog.malwarebytes.org/fraud-scam/2014/11/rogue-scr-file-links-circulating-in-steam-chat/]

Permalink
 

Covarr

PS Thanks
May 29, 2009
1,559
0
0
I've been getting a lot of friend requests from complete strangers lately, in spite of not playing anything on Steam except Half-Life 2 in the last several weeks. I was starting to wonder if I had some abnormally valuable item in my inventory that I didn't know about, but this seems more likely.

P.S. Thanks
 

Worgen

Follower of the Glorious Sun Butt.
Legacy
Apr 4, 2020
11,708
1,057
118
Gender
Whatever, just wash your hands.
Covarr said:
I've been getting a lot of friend requests from complete strangers lately, in spite of not playing anything on Steam except Half-Life 2 in the last several weeks. I was starting to wonder if I had some abnormally valuable item in my inventory that I didn't know about, but this seems more likely.

P.S. Thanks
Well, I don't see anything in your inventory so it might have been cleaned out.
 

flying_whimsy

New member
Dec 2, 2009
1,077
0
0
Ever since they introduced the steam wallet I've been waiting for stuff like this to start happening. With how many millions of dollars passing through steam there's bound to be some efforts to compromise the platform. At least this is something that you can see coming: I fear the day when something piggybacks on an update.
 

cikame

New member
Jun 11, 2008
585
0
0
I try to never click shortened links, i always observe the link address to ensure i'm going somewhere legit.
Be smart, all these link shortening sites did was create a way to hide useful information from you, if the link is not from your most trusted source, ignore it.
 

Dr.Awkward

New member
Mar 27, 2013
692
0
0
Dear Russian//Ukrainian friends: ) does not equal ! in the English language. And in this situation, that kind of mistake really reveals where this originates.

But with this malware and inventory breach, previous gifts and trades that are sketchy, and the Earbud Mafia, Valve really needs to do something about some of its Eastern European abusers. Unfortunately Valve Time applies to when we'll see a proper solution.
 

Covarr

PS Thanks
May 29, 2009
1,559
0
0
Worgen said:
Well, I don't see anything in your inventory so it might have been cleaned out.
Hmm, apparently it's set to private. So it was almost definitely either people attempting to spread malware, people attempting to phish valuable accounts, or people adding randoms to look at inventories, and not people who specifically wanted something I had. Good to know.

P.S. Thanks

P.P.S. If I'd known it was private, I would've changed it forever ago, in case I ever stumble into something worth more than I realize.
 

kailus13

Soon
Mar 3, 2013
4,568
0
0
Is this why I received a friend request from {"unassigned}"?

I'd never open anything with the Steam browser anyway, it's a lot slower than copy?pasting it into firefox and there's no antivirus you can put on it.
 

Skeleon

New member
Nov 2, 2007
5,410
0
0
Well, good thing I keep Steam's functionality to an absolute minimum then, seeing as I already hate it even without malware (unless you count Steam itself, of course).
I'd also appreciate it, if they got around to fixing the receipts at some point.
Man, how I hate having to use it.
 

Redlin5_v1legacy

Better Red than Dead
Aug 5, 2009
48,837
0
0
Even though a seasoned Netizen will see through these easily, throwing up these PSA's is still a necessity. If you have friends on Steam who are... less than aware of malware, you may want to share this with them.
 

roseofbattle

News Room Contributor
Apr 18, 2011
2,306
0
0
I have never been so happy to have so few friends . :p

Though I do occasionalkly get friend requests I typically ignore if I don't remember the person or... their account is level 1 or something.
 

FalloutJack

Bah weep grah nah neep ninny bom
Nov 20, 2008
15,489
0
0
Aha! So, the best method to prevent people from getting lured in by spambots on Steam is to...tell everybody on Steam. Wait a minute...

(But seriously, tell people and nip this in the bud.)
 

Rad Party God

Party like it's 2010!
Feb 23, 2010
3,560
0
0
Same as Covarr, I've been getting a lot of friend requests from complete strangers, also I tend to NOT trust private profiles with rabdom names.
 

Rad Party God

Party like it's 2010!
Feb 23, 2010
3,560
0
0
NuclearKangaroo said:
Valve better starts doing something about these scam attempts, this is the second mayor one this year
They did actually, they added a kind of warning message after clicking ANY kind of URL, very annoying for my friends and I, but kind of necessary nowadays.
 

cyber95

New member
Feb 28, 2008
107
0
0
Man, I respond to bots all the time with things like that all the time. My incredible wit is wasted on things that can't appreciate it.
 

CpT_x_Killsteal

New member
Jun 21, 2012
1,519
0
0
https://www.malwarebytes.org/

This is what I use to get rid of the pesky viruses that often slip through AVG. I recommend it to everyone.
 

choren64

New member
Aug 2, 2011
17
0
0
SupahGamuh said:
NuclearKangaroo said:
Valve better starts doing something about these scam attempts, this is the second mayor one this year
They did actually, they added a kind of warning message after clicking ANY kind of URL, very annoying for my friends and I, but kind of necessary nowadays.

Thank goodness too, the warning message actually saved my computer. I got one of these phony messages recently and tried to close it, but my finger slipped and I ended up clicking on the link by accident. Steam managed to warn me about clicking on untrusted URLs before anything began downloading...
 

SomeLameStuff

What type of steak are you?
Apr 26, 2009
4,291
0
0
choren64 said:
Thank goodness too, the warning message actually saved my computer. I got one of these phony messages recently and tried to close it, but my finger slipped and I ended up clicking on the link by accident. Steam managed to warn me about clicking on untrusted URLs before anything began downloading...
Downloading the file should still be safe, you have to run the file for it to do anything. But still, not downloading it is much, much safer.

This popped up on the Dota 2 Reddit a few days ago. I got quite a few "friend requests" myself when I got my hands on a $130 item, all which stopped once I sold it on the Steam Market.
 

MASTACHIEFPWN

Will fight you and lose
Mar 27, 2010
2,279
0
0
CpT_x_Killsteal said:
https://www.malwarebytes.org/

This is what I use to get rid of the pesky viruses that often slip through AVG. I recommend it to everyone.
Malware bytes doesn't actively defend, though.

It's a great scanner, I will give it that, but it can't prevent malware from doing it's dirty work, only remove it, and that's usually after you realize something is wrong. (They do have a premium version that might include a firewall, though I'm not sure).

OT: We are familiar from the school, so entrust in me your inventory.
 

Ninonybox_v1legacy

New member
Apr 2, 2008
1,974
0
0
I have been waiting on steam to help me with a hacked account for 2 weeks now, it takes them 3 or 4 days to respond after I reply to a message they sent. This is totally unrelated to this however, but steam really needs to get it's shit together.
 

Roxas1359

Burn, Burn it All!
Aug 8, 2009
33,758
0
0
MASTACHIEFPWN said:
It's a great scanner, I will give it that, but it can't prevent malware from doing it's dirty work, only remove it, and that's usually after you realize something is wrong. (They do have a premium version that might include a firewall, though I'm not sure).
I believe the premium version does indeed have a Firewall come packaged with it. I love Malwarebytes as a scanner though. I had a virus that had rooted itself deep in my OS, and it prevented new drivers from installing, even via discs. Malwarebytes managed to fix it so that was good for me. I never would have even noticed the problem either if I didn't have a pain trying to install the drivers for the new wireless mouse I had purchases.
 

Avaholic03

New member
May 11, 2009
1,520
0
0
ninonybox360 said:
I have been waiting on steam to help me with a hacked account for 2 weeks now, it takes them 3 or 4 days to respond after I reply to a message they sent. This is totally unrelated to this however, but steam really needs to get it's shit together.
With millions of concurrent users, it's practically impossible to police all the scams and help everyone immediately. In most cases, hacking is easily preventable, and if more people used basic common sense it wouldn't really be a problem. The fact that these half-baked hacking attempts ever work is kind of a shame, and I have a tough time feeling sorry for people who fall for them.
 

RicoADF

Welcome back Commander
Jun 2, 2009
3,147
0
0
ninonybox360 said:
I have been waiting on steam to help me with a hacked account for 2 weeks now, it takes them 3 or 4 days to respond after I reply to a message they sent. This is totally unrelated to this however, but steam really needs to get it's shit together.
Do you have email verification enabled?
If not I highly recommend it once you get your account back, I recommend it to everyone with a steam account as the extra layer of security. Even Origin has it.
 

CpT_x_Killsteal

New member
Jun 21, 2012
1,519
0
0
MASTACHIEFPWN said:
CpT_x_Killsteal said:
https://www.malwarebytes.org/

This is what I use to get rid of the pesky viruses that often slip through AVG. I recommend it to everyone.
Malware bytes doesn't actively defend, though.

It's a great scanner, I will give it that, but it can't prevent malware from doing it's dirty work, only remove it, and that's usually after you realize something is wrong. (They do have a premium version that might include a firewall, though I'm not sure).

OT: We are familiar from the school, so entrust in me your inventory.
Well yeah, it gets rid of, but doesn't prevent.
 

NuclearKangaroo

New member
Feb 7, 2014
1,919
0
0
SupahGamuh said:
NuclearKangaroo said:
Valve better starts doing something about these scam attempts, this is the second mayor one this year
They did actually, they added a kind of warning message after clicking ANY kind of URL, very annoying for my friends and I, but kind of necessary nowadays.
well its clearly not idiot proof enough
 

Stg

New member
Jul 19, 2011
123
0
0
Honestly, who would fall for this? Especially that type of broken form of communication.
 

Gennadios

New member
Aug 19, 2009
1,157
0
0
NuclearKangaroo said:
Valve better start doing something about these scam attempts, this is the second major one this year
The first scam attempt being Greenlight?

Stg said:
Honestly, who would fall for this? Especially that type of broken form of communication.
It's actually not that uncommon for Steam Traders to send out random friend requests if you have some of the rarer TF2 swag in your inventory, and not all of them speak perfect English.

That aside, as surprising as it may be, there are people out there that fall for this kind of stuff.
 

Nuuu

New member
Jan 28, 2011
531
0
0
My friend must have fallen for it (somehow), as he sent me a picture link with the message "Hey, look i won a courier" with a linked screenshot.jpg image called "Picture4u". Of course i already heard about this virus spreading around, but i haven't talked to this friend in a long time and have no idea what a "courier" is. (I assume it's DOTA 2 related).

I looked the hijacked person's account and warned the person i knew who has an insane amount of hours on TF2 and CS:GO. Said he scanned the link he got with a VM and it was something that actually had to be downloaded, but i guess there are different versions of this virus.
 

Svarr

New member
Nov 2, 2011
92
0
0
Bit LY is kind of a dangerous thing nowdays, but then again so is ignorance as always.
 

Johnson McGee

New member
Nov 16, 2009
516
0
0
Gennadios said:
Stg said:
Honestly, who would fall for this? Especially that type of broken form of communication.
It's actually not that uncommon for Steam Traders to send out random friend requests if you have some of the rarer TF2 swag in your inventory, and not all of them speak perfect English.

That aside, as surprising as it may be, there are people out there that fall for this kind of stuff.
Yeah, I got a random friend request and accepted thinking it was a trade request. A quick look at the (mostly empty) profile coupled with the broken english made my response to him saying "a friend was trying to add but couldn't because of error please click this link" a quick "LOL, deleted."

That link actually started as steamcommunity so I'd advise people to be careful of those as well, since it probably won't trigger steam's confirmation.
 

Strazdas

Robots will replace your job
May 28, 2011
8,407
0
0
yeah this was doing rounds for a week. apperently just like with Skype virus, there are so many people that totally fall for this. worst thing is people dont learn. i know a person that fell for skype virus 6 times.

kailus13 said:
Is this why I received a friend request from {"unassigned}"?

I'd never open anything with the Steam browser anyway, it's a lot slower than copy?pasting it into firefox and there's no antivirus you can put on it.
that unassigned guy seems to be the source of this malware. he is constantly being reported as spreading it.

Steam Browser is useless. on regular browser you got security, addons and faster functionality. I even got steam set up to automatically use Firefox on links.
 

AstaresPanda

New member
Nov 5, 2009
441
0
0
yeh i clicked on this shit, but avast told me they blocked something and nothing was in my chrome downloads. Did a scan and it found nothing. Im hoping thats the end of it but im still paranoid
 

Ninonybox_v1legacy

New member
Apr 2, 2008
1,974
0
0
RicoADF said:
ninonybox360 said:
I have been waiting on steam to help me with a hacked account for 2 weeks now, it takes them 3 or 4 days to respond after I reply to a message they sent. This is totally unrelated to this however, but steam really needs to get it's shit together.
Do you have email verification enabled?
If not I highly recommend it once you get your account back, I recommend it to everyone with a steam account as the extra layer of security. Even Origin has it.
Oh I have all the bells and whistles enables, luckily this seems to be the best worst hacker ever. None of my items are gone, they just put $100 in my steam wallet with some card I don't recognize and used $97 of it. I also seem to have a Strange Huo-Long Heater in TF2 now though. I know the hacker is from Russia though, or at least using a Russian email. I know because they put up the family pin lock system after they got in, and if you click "forgot my pin" it will show you a message saying where it is going to send a pin reset email after you click send. They also got into my battle.net account, however that was quickly solved. They tried to buy the new WoW expansion, but I guess they spend all their money on the $100.
 

deathbydeath

New member
Jun 28, 2010
1,363
0
0
If anyone wants to know the best way to handle spambots, that chat log in the OP is a good role model.
ninonybox360 said:
Oh I have all the bells and whistles enables, luckily this seems to be the best worst hacker ever. None of my items are gone, they just put $100 in my steam wallet with some card I don't recognize and used $97 of it. I also seem to have a Strange Huo-Long Heater in TF2 now though.
Best hacker ever.
 

RenegadeDuck

New member
Oct 9, 2014
25
0
0
Ha! The joke is on these scammer-losers! I don't have any friends on steam to chat with!

*Sobs lightly for a moment*

Joking aside, I don't think I've ever seen a scam attempt so obviously sleazy at a glance. I mean, just look at the message in the OP. "We are familiar from the school))"? Oh yeah, familiar from the school. I totally buy that. Never mind the suspicious link and the message telling me to look at their picture, I would be able to tell something is up when some stranger with hilariously broken English randomly contacts me and claims they somehow have figured out who I am from my profile that gives no information about me and knows me from "the school." (Elementary? Middle school? High school? College? No? Just "the school"?)

I'm sorry, I know it's obvious to everyone here that a message like this could only be a scam, I'm just shocked that there are people out there who would actually fall for a trap so humorously easy to spot.
 

Sizzle Montyjing

Pronouns - Slam/Slammed/Slammin'
Apr 5, 2011
2,213
0
0
I fell for this I guess? I mean, it was sent from my brother, and addressed me as such, which is what threw me off.
Of course my brother was like 'Oh yeah it did that to all my friends' and didn't tell me... thanks.
But, nothing is gone from my steam, I didn't actually open it and purged my pc immediately afterwards and I seem ok...
 

DoPo

"You're not cleared for that."
Jan 30, 2012
8,665
0
0
RenegadeDuck said:
and knows me from "the school." (Elementary? Middle school? High school? College? No? Just "the school"?)
In all fairness, it's a bog standard phishing line. Usually used in email because older people 1. may not remember the name or do remember it (e.g., "Hey, I'm Nick") but it's been a long time 2. are more likely to click on stuff by "friends". It provides an OK cover. On Steam, the "school" angle works rather well, since a lot of Steam users would be students - in any of those.

However, then again

RenegadeDuck said:
I'm sorry, I know it's obvious to everyone here that a message like this could only be a scam, I'm just shocked that there are people out there who would actually fall for a trap so humorously easy to spot.
Yeah, I agree it's easy to spot. But I don't agree that it's easy to spot for everybody. Users are morons, that's the first rule of dealing with them. Any user. For anything tech related.
 

Hutzpah Chicken

New member
Mar 13, 2012
344
0
0
And here I thought everyone just really wanted my Strange Sydney Sleeper...

I specifically specify that people do not add me to trade, likewise, I don't accept friend requests from random people unless I played an exceptional round of CS:GO with them or some Mann Vs. Machine.

Might need to change that...
 

Piorn

New member
Dec 26, 2007
1,097
0
0
SPACE DAMMIT, I just got one of those and absent-mindedly clicked on it, but closed it immediately before it even fully opened the tab in my browser.
Currently scanning my PC, but I don't think anything downloaded.