Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Steam messages screen.scr VIRUS DO NOT OPEN THESE


  • Please log in to reply
23 replies to this topic

#1 zingo156

zingo156

  • BC Advisor
  • 3,345 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 AM

Posted 18 November 2014 - 07:48 PM

Guys,

 

I was sent a message in steam that said: is this you in the photo?

 

I noticed the file extension was *.scr and recalled that cryptolocker frequently used these to infect computers. I did not open it and nor should you if you get these messages! Turn on your file extensions so you can see them! Tell those friends to change their passwords.

 

Here is the virus total report for the file: https://www.virustotal.com/en/file/a254d0a149d7a07626c1f99a7ebf6eaacbf481e784108b0ed4ab8f9e9fef96c0/analysis/


Edited by Orange Blossom, 19 November 2014 - 05:36 PM.
Moved to General Security. ~ OB

If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

BC AdBot (Login to Remove)

 


#2 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:03:29 AM

Posted 18 November 2014 - 08:03 PM

Thanks for the info.

 

What I want to know now is why only 8 out of 55 Anti virus’s picked that up? 



#3 zingo156

zingo156
  • Topic Starter

  • BC Advisor
  • 3,345 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 AM

Posted 18 November 2014 - 08:08 PM

It is very new, it looks like the first upload to virus total was:2014-11-14 17:18:35 UTC ( 4 days, 9 hours ago ) and then the Compilation timestamp is: 2014-11-14 15:23:49

 

Update: 2 of my friends have told me they have recieved the same message from at least 5 others on their list in the past 10-20 minutes. It seems steam accounts may have been compromised or are being hacked some how.


Edited by zingo156, 18 November 2014 - 10:02 PM.

If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#4 zingo156

zingo156
  • Topic Starter

  • BC Advisor
  • 3,345 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 AM

Posted 18 November 2014 - 08:44 PM

I forgot to mention that the message was a legitimate friend who I had played with only 2 days prior!


Edited by zingo156, 18 November 2014 - 08:46 PM.

If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#5 Lehr

Lehr

  • Members
  • 124 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:29 AM

Posted 18 November 2014 - 09:38 PM

Just to reaffirm, as long as I don't click this link I'll be fine, correct?


And as I say that my friend tries to send me something just like this. Ohboy.

Edited by Lehr, 18 November 2014 - 09:46 PM.


#6 zingo156

zingo156
  • Topic Starter

  • BC Advisor
  • 3,345 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 AM

Posted 18 November 2014 - 09:46 PM

Just to reaffirm, as long as I don't click this link I'll be fine, correct?

Yes you should be fine.

 

I tested this in a virtual box and this is what happens: You get the message from the friend, click the link, that opens a new webpage in your browser, a file prompt comes up for you to save or run. At this point you are still not infected. If you click run the virus installs and you are infected. If you click save, you will have a file saved (wherever you chose to save it) but you are not infected if you only chose to save the file. If you open that saved file, the virus installs.

 

Only if you have physically opened or clicked run on the screen.scr will you become infected with this current version.

 

Also another UPDATE: one of my friends got back to me (I sent them a text to run scans on their pc and then change their password on steam and other accounts) they were infected with a virus. Unfortunately they have not sent me any info on that infection, I believe it was a key logger of some sort and this is how their steam account was hacked.

 

I am still concerned by the fact that 2 of my friends were sent the same message from different friends that I do not even have on my list. I suspect this is a fairly large issue at the moment.


Edited by zingo156, 18 November 2014 - 09:48 PM.

If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#7 Lehr

Lehr

  • Members
  • 124 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:29 AM

Posted 18 November 2014 - 09:50 PM

Indeed it is.

Two of my friends (Sophia and Foster) both sent me messages just now saying 'do not trust any links from people you know'. Apparently someone all three (Foster/myself/Sophia) of us knew fell for it and lost their account shortly after.

Edited by Lehr, 18 November 2014 - 09:50 PM.


#8 zingo156

zingo156
  • Topic Starter

  • BC Advisor
  • 3,345 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 AM

Posted 18 November 2014 - 09:52 PM

Indeed it is.

Two of my friends (Sophia and Foster) both sent me messages just now saying 'do not trust any links from people you know'. Apparently someone all three (Foster/myself/Sophia) of us knew fell for it and lost their account shortly after.

By lose your account, did the person that hacked the account log in and change your password? This would be really bad as a lot of people have a ton of money invested in steam games. They very well might be targeting steam accounts to resell the account and also infect people with their virus.


Edited by zingo156, 18 November 2014 - 09:59 PM.

If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#9 Lehr

Lehr

  • Members
  • 124 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:29 AM

Posted 18 November 2014 - 10:02 PM

I have no clue. The person effected by it isn't someone I know in real life, but they aren't on my friends list anymore and I can't seem to find them no matter what I search. I assume that it would be the same age old trick of getting into someones account and changing their password(s).

#10 zingo156

zingo156
  • Topic Starter

  • BC Advisor
  • 3,345 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 AM

Posted 18 November 2014 - 10:08 PM

The friend that I warned did not lose her account, maybe due to me sending her a (phone) text to change her password right away. What happened in my case was this: my friend came on, I saw the yourfriend is now online message, then I got a message from her and because I know her well I nearly clicked on the link. Then she went offline after sending me the same message 2 times. After I got the same message 2 times in a row and she went offline I suspected something was up and fired up the virtual box to test the link/file.


Edited by zingo156, 18 November 2014 - 10:09 PM.

If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#11 Lehr

Lehr

  • Members
  • 124 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:29 AM

Posted 18 November 2014 - 10:13 PM

I lack a virtual box/way to test this myself and all I know is my friend apparently lost their account to this. That or the person that told me this was wrong. I do hope your friend gets their account back, however.

#12 zingo156

zingo156
  • Topic Starter

  • BC Advisor
  • 3,345 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 AM

Posted 18 November 2014 - 10:18 PM

I lack a virtual box/way to test this myself and all I know is my friend apparently lost their account to this. That or the person that told me this was wrong. I do hope your friend gets their account back, however.

No fun! I am currently chatting with my friend after this whole virus message thing, she has changed her password and I assume her account is safe for the time being. She cleaned out her virus prior to changing her password which is good advice for anyone who has an account that may have been hacked.


If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#13 Lehr

Lehr

  • Members
  • 124 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:29 AM

Posted 18 November 2014 - 11:10 PM

Let's just hope it doesn't have some hidden Trojan or some crap. Anyway, glad she's okay. Also another one of my friends received the same link in a message, they didn't click it though. It might be a while before this stupidity passes, so watch what you click folks.

#14 Without_A_Monitor

Without_A_Monitor

  • Members
  • 339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:teh bleepinverse
  • Local time:12:29 PM

Posted 18 November 2014 - 11:11 PM

A many thanks for the info, zingo.

I had a slightly similar experience with xfire the other week. Someone hacked my account while I was on it, which signed me off of it because the person/people logged into my account while I was online. I signed back in, only to have it happen again. I then immediately changed my password and ran scans with RKILL, ESET NOD32 and Emsisoft. Nothing was found. Additionally, my laptop has shown no signs of infections from my understanding. It does not seem to be infected. It seems to be the case that whoever logged into my account and tried to hack it while I was online was unable to do anything else than simply log into it twice before I changed my password.

Edited by Without_A_Monitor, 18 November 2014 - 11:13 PM.


#15 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:03:29 AM

Posted 19 November 2014 - 12:00 AM

 

It is very new, it looks like the first upload to virus total was:2014-11-14 17:18:35 UTC ( 4 days, 9 hours ago )

 

Slightly off topic. and My Rant for the week.

 

That's a long time in Linux world, That malware signature should have been added to all the antivirus mumbo jumbo with in 24 hours at most.

 

While I know it's not the same thing. Can you imagine the bash shell exploit being around for so long without a patch? Linux dev's react fast to security stuff, Patches are out within hours not days.

 

These AV company's need to put the customer first, Who cares who found it first share the signature with everybody put out the update and protect the customer.


Edited by NickAu1, 19 November 2014 - 12:01 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users