Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible virus in .scr file


  • Please log in to reply
12 replies to this topic

#1 undeadmens

undeadmens

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 26 November 2014 - 01:11 AM

Recently I was trading on steam with someone who seems quite odd and has sent me a link to a website hxxp://kingpic.eu/nj8929h382gj09.png

which comes up with a .scr file (tell me if it doesn't come up).

 

I am just wondering what I am dealing with here and if it is safe to run


Edited by undeadmens, 26 November 2014 - 02:38 AM.


BC AdBot (Login to Remove)

 


#2 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 12,732 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:03:41 PM

Posted 26 November 2014 - 01:59 AM

I just downloaded this and scanned it at Virus total.

 

https://www.virustotal.com/en/file/0ec071af50d5118d9098485783840d2e2c2423688fa789632db0979a3fed55da/analysis/1416985054/

 


 

I am just wondering what I am dealing with here and if it is safe to run

IMHO..................NO

 

Post reported. And I have PM'ed somebody who knows this stuff.


Edited by NickAu1, 26 November 2014 - 02:17 AM.


#3 Naathim

Naathim

    Bleepin' Minion


  • Members
  • 435 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:06:41 AM

Posted 26 November 2014 - 02:13 AM

I am just wondering what I am dealing with here and if it is safe to run


No files from an unknown / unreliable source should be downloaded. Bare this in mind please.

*.scr is an executable and it actually looks like a dropper of a trojan. Stay away from it please.

And also edit you post changing http:// links to hxxp:// please. You don't even realize how many people will just blindly click on the links given.


Radek Naathim Pawelczyk

Malware Removal Specialist

 

staff.png


#4 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 12,732 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:03:41 PM

Posted 26 November 2014 - 02:18 AM

Thanks Naathim

 

 

 

undeadmens

You didn't run it did you ?


Edited by NickAu1, 26 November 2014 - 02:20 AM.


#5 undeadmens

undeadmens
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 26 November 2014 - 02:33 AM

God no

 

I thought it was odd so I came running here 


Edited by undeadmens, 26 November 2014 - 02:35 AM.


#6 undeadmens

undeadmens
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 26 November 2014 - 02:38 AM

 

I am just wondering what I am dealing with here and if it is safe to run


No files from an unknown / unreliable source should be downloaded. Bare this in mind please.

*.scr is an executable and it actually looks like a dropper of a trojan. Stay away from it please.

And also edit you post changing http:// links to hxxp:// please. You don't even realize how many people will just blindly click on the links given.

 

Sorry about that fixed it



#7 undeadmens

undeadmens
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 26 November 2014 - 02:50 AM

Thanks for the help I have reported the guy on steam and I am happy to say the response was quick and he was banned.



#8 Naathim

Naathim

    Bleepin' Minion


  • Members
  • 435 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:06:41 AM

Posted 26 November 2014 - 03:17 AM

Sorry about that fixed it

Thank you :)

Stay safe!
Naat

Radek Naathim Pawelczyk

Malware Removal Specialist

 

staff.png


#9 rp88

rp88

  • Members
  • 2,967 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:41 AM

Posted 26 November 2014 - 12:51 PM

scr is a windows screensaver file, it is not an exe file but it can more-or-less do anything an exe can including being a virus. There are plenty of instances of criminals sending people something that thye claim is an image, getting the victim to download the "image" and then open it. What the criminals do is either put a double file extension sneakyfile.png.scr, and hope the user only notices the png part as windows will usuallly hide the second file extension so the average user would only see sneakyfile.png . In other cases the criminals might not even bother with double extensions, just get the user to open something which they say is an image but is really an scr file. As windows(by default) hides file extensions the user wouldn't realise the file was not what it cliamed to be until it was too late. Don't download random files from random people who message you, don't download scr files and make sure to set up windows so it "displays full extensions for known file types" under "folder options".
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#10 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:03:41 PM

Posted 26 November 2014 - 10:52 PM

This is the scan for that particular file... the new version.

 

https://www.virustotal.com/en/file/62021f28fe1f636a23d9865ecc114e3cc78410ca63b661866afdd0f52e33e7be/analysis/1417059975/

 

the SHA has changed... the author is trying to obfuscate the malware and has succeeded with many AV programs.


Edited by TsVk!, 26 November 2014 - 10:54 PM.


#11 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:41 AM

Posted 27 November 2014 - 03:37 PM

The size has also changed considerably: from around 821KB to 541KB.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#12 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:03:41 PM

Posted 27 November 2014 - 11:36 PM

Why is the link still in the thread?



#13 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 12,732 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:03:41 PM

Posted 28 November 2014 - 04:39 AM

Finally the Anti virus company’s are waking up.

 

Detection ratio: 20 / 56

 

https://www.virustotal.com/en/file/62021f28fe1f636a23d9865ecc114e3cc78410ca63b661866afdd0f52e33e7be/analysis/1417167431/






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users