"immediately infecting you"
SCR files exactly same as EXE files. Only difference is extension and it will be coded to accept CLI parameters for screen saver functionality in real screen savers.
So as long as you not open them, it can't infect you.
Comment has been collapsed.
Funny, that. The person who gave me the first message (to let me know the thing even existed) told me he caught it through just clicking on an image link. No prompt to save a file to anywhere, no need to even open it. The only reason his antivirus didn't intercept it was because he had it temporarily disabled while he was downloading a huge patch for some game or other (I think it was interfering or slowing the process, or so he claims? I dunno).
He clicked the link, got a blank page, then realised what just happened when people started replying to the automated message it gave out. When I received the message, I was suspicious, so opened it in a browser separate from steam, and NOD32 caught and prompted me if I wanted it scrubbing. I can't verify if what this guy said was accurate, but hasn't there been malware that transmit itself through adbars, that didn't require manual opening?
I mean, christ, as I mentioned elsewhere, self-running executables have been around since the days of hclean32. I won't claim to know how all varieties of malware operate, but user interaction is not always required. In this case, all it needs the user to do is navigate to the site serving as a vector.
Comment has been collapsed.
Someone posted a link on my profil ( I deleted it), here the guy who posted on my profile has the same (twice) on his profile:
I havent clicked it so i don't know if it's related to this Trojan of yours. But better be on the watch out as well.
Comment has been collapsed.
I got again a scam attempt from a private profile, with the usual scr file.
Played with the link inside a virtual machine: the scr file is hosted at a googleusercontent site, which is obviously owned by Google. The file name is usually a "screen_#####.scr".
I peeked inside the contents, and I assume it probably creates a new (admin?) user under the "Users" directory...
https://dl.dropboxusercontent.com/u/9813034/K%C3%A9perny%C5%91k%C3%A9p%20%E2%80%93%202015-01-16%2018%3A44%3A36%20censored.png
Comment has been collapsed.
18 Comments - Last post 3 minutes ago by MeguminShiro
8 Comments - Last post 12 minutes ago by ZPE
867 Comments - Last post 27 minutes ago by sensualshakti
4 Comments - Last post 29 minutes ago by IronKnightAquila
61 Comments - Last post 31 minutes ago by tysroby
25 Comments - Last post 43 minutes ago by sensualshakti
263 Comments - Last post 47 minutes ago by sensualshakti
491 Comments - Last post 3 minutes ago by SquishedPotatoe
6 Comments - Last post 18 minutes ago by Hephos
880 Comments - Last post 24 minutes ago by Fenchurch
8 Comments - Last post 28 minutes ago by pizzahut
3 Comments - Last post 31 minutes ago by VahidSlayerOfAll
31 Comments - Last post 34 minutes ago by Vakuta
2,322 Comments - Last post 53 minutes ago by JohnRyder
Edit : The latest mutation appears to be targetting profile comments, claiming to be an inventory screenshot of someone who wants to set up a trade, but still operates in the same way. Be careful!
~~
There is a recent trojan with a little twist going around like wildfire at the moment.
Instead of the usual dumb link to an obvious malware site or infected file, this trojan instead travels through your steam friends lists, and appears as a direct link to an image file on a normal image hosting site. Now, think about this for a moment, if a close friend of yours sent you a message saying "Wow, some people : http://photo-wrangler.net/12513.JPG" you probably wouldn't think twice about clicking it, would you?
When you try to access the site, it attempts to stealth-download something (usually an .scr) into your computer without giving the user any prompts such as the usual "save to" dialog box, immediately infecting you and relaying the same message to everyone on your steam friends list. People have said that this trojan is designed to get access to your steam inventory and gift your gear away to a bot, but I cannot confirm that. I would be more worried about it leaving keyloggers or taking your account password. If you have a good antivirus or anti-malware installed, you will probably get an interrupt-alert that prevents it if you try to visit in a browser window external to steam, but I would still be careful because these kinds of things tend to try adapt over time.
For reference, the message itself (at this point) appears to be : "WTF?????? [evil link].JPG"
If you got this message, don't click it, alert the sender that they're infected, and advise them to scan for malware / look for keyloggers in their active processes, and then to change their password.
.
TL;DR VERSION :
There is a trojan going around the steam friends lists that is using a direct image link instead of a suspicious file. It is literally a link to a .JPG file that looks like a random piece of humour/news.
Here's a quick summary image I made myself of what to look out for : http://i59.tinypic.com/2mg2uth.jpg
Seriously. Yes. It is that easy to get caught by it. No, it isn't a joke. That image I just posted is a reminder that if you think your shit doesn't stink just because you don't open random .XLS and .EXE files, consider how the average steam conversation goes, and how innocent image links can seem and slip by your guard.
Comment has been collapsed.