"immediately infecting you"
SCR files exactly same as EXE files. Only difference is extension and it will be coded to accept CLI parameters for screen saver functionality in real screen savers.
So as long as you not open them, it can't infect you.
Comment has been collapsed.
Funny, that. The person who gave me the first message (to let me know the thing even existed) told me he caught it through just clicking on an image link. No prompt to save a file to anywhere, no need to even open it. The only reason his antivirus didn't intercept it was because he had it temporarily disabled while he was downloading a huge patch for some game or other (I think it was interfering or slowing the process, or so he claims? I dunno).
He clicked the link, got a blank page, then realised what just happened when people started replying to the automated message it gave out. When I received the message, I was suspicious, so opened it in a browser separate from steam, and NOD32 caught and prompted me if I wanted it scrubbing. I can't verify if what this guy said was accurate, but hasn't there been malware that transmit itself through adbars, that didn't require manual opening?
I mean, christ, as I mentioned elsewhere, self-running executables have been around since the days of hclean32. I won't claim to know how all varieties of malware operate, but user interaction is not always required. In this case, all it needs the user to do is navigate to the site serving as a vector.
Comment has been collapsed.
Someone posted a link on my profil ( I deleted it), here the guy who posted on my profile has the same (twice) on his profile:
I havent clicked it so i don't know if it's related to this Trojan of yours. But better be on the watch out as well.
Comment has been collapsed.
I got again a scam attempt from a private profile, with the usual scr file.
Played with the link inside a virtual machine: the scr file is hosted at a googleusercontent site, which is obviously owned by Google. The file name is usually a "screen_#####.scr".
I peeked inside the contents, and I assume it probably creates a new (admin?) user under the "Users" directory...
https://dl.dropboxusercontent.com/u/9813034/K%C3%A9perny%C5%91k%C3%A9p%20%E2%80%93%202015-01-16%2018%3A44%3A36%20censored.png
Comment has been collapsed.
336 Comments - Last post 1 minute ago by Fluffster
107 Comments - Last post 45 minutes ago by valdrak3
294 Comments - Last post 2 hours ago by GraVe23
223 Comments - Last post 3 hours ago by Kingsajz
34 Comments - Last post 5 hours ago by Formidolosus
16,725 Comments - Last post 6 hours ago by Kenruyoh
49 Comments - Last post 8 hours ago by wigglenose
83 Comments - Last post 16 seconds ago by FluffyKittenChan
1,443 Comments - Last post 8 minutes ago by Shurraxxo
85 Comments - Last post 11 minutes ago by Andrewski
1,026 Comments - Last post 25 minutes ago by GraVe23
84 Comments - Last post 46 minutes ago by C0mar
138 Comments - Last post 1 hour ago by aquatorrent
114 Comments - Last post 1 hour ago by Tiajma
Edit : The latest mutation appears to be targetting profile comments, claiming to be an inventory screenshot of someone who wants to set up a trade, but still operates in the same way. Be careful!
~~
There is a recent trojan with a little twist going around like wildfire at the moment.
Instead of the usual dumb link to an obvious malware site or infected file, this trojan instead travels through your steam friends lists, and appears as a direct link to an image file on a normal image hosting site. Now, think about this for a moment, if a close friend of yours sent you a message saying "Wow, some people : http://photo-wrangler.net/12513.JPG" you probably wouldn't think twice about clicking it, would you?
When you try to access the site, it attempts to stealth-download something (usually an .scr) into your computer without giving the user any prompts such as the usual "save to" dialog box, immediately infecting you and relaying the same message to everyone on your steam friends list. People have said that this trojan is designed to get access to your steam inventory and gift your gear away to a bot, but I cannot confirm that. I would be more worried about it leaving keyloggers or taking your account password. If you have a good antivirus or anti-malware installed, you will probably get an interrupt-alert that prevents it if you try to visit in a browser window external to steam, but I would still be careful because these kinds of things tend to try adapt over time.
For reference, the message itself (at this point) appears to be : "WTF?????? [evil link].JPG"
If you got this message, don't click it, alert the sender that they're infected, and advise them to scan for malware / look for keyloggers in their active processes, and then to change their password.
.
TL;DR VERSION :
There is a trojan going around the steam friends lists that is using a direct image link instead of a suspicious file. It is literally a link to a .JPG file that looks like a random piece of humour/news.
Here's a quick summary image I made myself of what to look out for : http://i59.tinypic.com/2mg2uth.jpg
Seriously. Yes. It is that easy to get caught by it. No, it isn't a joke. That image I just posted is a reminder that if you think your shit doesn't stink just because you don't open random .XLS and .EXE files, consider how the average steam conversation goes, and how innocent image links can seem and slip by your guard.
Comment has been collapsed.