Today I was brought to the attention of a Tumblr post - apparently there's malware doing the rounds making use of Steam chat, (adding Steam friends and) spamming Steam users.
Example message:
"karpathos" sending a bit.ly link (Image source) |
Onyx is right, the link's indeed phishy and uses bit.ly (a URL shortener) to trick users into clicking it. Remember the worm that spread via Skype and Messenger last year? (reference here and here) This is a similar campaign.
Setup
Someone adds you on Steam, you accept and immediately a chat pops up as similar to above.
Alternatively someone from your friends list already got infected and is now sending the same message to all his/her friends.
The bit.ly link actually refers to a page on Google Drive, which immediately downloads a file called IMG_211102014_17274511.scr, which is in fact a Screensaver file - an executable.
The file is shared by someone named "qwrth gqhe". Looks legit.
Note that normally, the Google Drive Viewer application will be shown and this will allow you to download the .scr file. In this case, the string "&confirm=no_antivirus" is added to the link, which means the file will pop-up immediately asking what to do: Run or Save.
(and in some cases download automatically)
At time of writing, the file is actually still being hosted by Google Drive. I have reported it however.
Afterwards, you're presented with the screensaver file which has the following icon:
Image of IMG_211102014_17274511.scr file |
Opening the file will result in installing malware on your system, which will steal your Steam credentials.
Technical details
IMG_211102014_17274511.scr
Original Filename: wrrrrrrrrrrrr.exe
Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
SHA1: 7d0575a883fed7a460b49821c7d81897ae515d43
VirusTotal: link
185.36.100.181
Server in Czech Republic. VirusTotal reference |
Downloads and executes:
temp.exe
Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
SHA1: cd9b3bf5c8d70e833b5c580c9b2fc1f3e5e4341e
VirusTotal: link
Interesting information in the debug path, note the "steamstealer" string. |
Remediation
What if you clicked the link and executed the file? Follow these steps:
- Exit Steam immediately
- Open up Task Manager (CTRL + SHIFT + ESC) and find a process called temp.exe, wrrrrrrrrrrrr.exe, vv.exe or a process with a random name, for example 340943.exe or a process similar to the file you executed
- Launch a scan with your installed antivirus
- Launch a scan with another, online antivirus or install & scan with Malwarebytes
- When the malware has been disinfected or deleted, change your Steam password - if you use the same password for other sites, change those as well
- De-authorize any unknown machines, read how to do that here:
Family Library Sharing User Guide - Verify none of your Steam items are missing - if so, it is advised to reinstall Steam as well.
Note: move the Steamapps folder (default on C:\Program Files\Steam\Steamapps) outside of the Steam directory to prevent your games from being deleted - Contact Steam/Valve in order to get your items back:
Send a ticket to Steam support
Prevention
- Be wary when someone new or with Level 0 adds you on Steam and immediately starts sending links
- In fact, don't click on links someone unknown sends to you
- If you receive a link which is a URL shortener (bit.ly or goo.gl for example), you can use GetLinkInfo to see the real URL
- If you did click the link, don't open or execute anything else - just close the webpage (if any) or cancel the download
- By default, file extensions are not shown. Enable 'Show file extensions' to see the real file type. Read how to do that here
- Install WOT - WOT is a community-based tool and is therefore very useful for those fake screenshot websites, whereas other users can warn you about the validity.
- Follow the tips by Steam itself to further protect your account:
Account Security Recommendations - If you trade a lot or want to check if a Steam account has a bad reputation, you can use SteamRep:
https://steamrep.com/ - SteamRep has also set up a Safe Trading Practices guide.
- Consider setting up the Steam Guard Mobile Authenticator (2FA).
- There's a useful guide in preventing scams on this Reddit link as well.
- Install an antivirus (which one doesn't matter, as long as you have one) and keep it up-to-date and running.
- Enable the Windows Firewall, or use the one that comes with the antivirus software, if relevant.
- For sysadmins/network administrators, I have created an IOC on AlienVault OTX with all known (to me at least) SteamStealer IPs.
Conclusion
Never click on unknown links, especially when a URL shortener service like bit.ly is used. (others are for example t.co, goog.gl, tinyurl, etc.)
Don't be fooled by known icons or "legit" file descriptions, this can easily be altered.
Even if you clicked the link and you're not suspicious, you should be when a file is downloaded and it's (in this case) a screensaver file.
For checking what is really behind a short URL, you can use:
For checking whether a file is malicious or not:
Follow the prevention tips above to stay safe and protect yourself from the SteamStealer malware.
I got a message on Steam with "WTF..". and a link...
ReplyDeleteGot this as well. Took all items.
DeleteHi Anonymous,
DeleteI advise to scan your machine with any antivirus and Malwarebytes (for example). Afterwards, reinstall Steam and change your Steam password.
i got one with this link
Deletehttp://fast-capture.com/img_72938.png
its now sending the link to all my friends however other than that i haven't noticed anything
Hi Anonymous,
Deleteif it was able to send the link to your friends, then you have been infected with this malware. If you haven't noticed anything, you may not have had items worth stealing.
In any case, I still advise you to perform a full scan with your antivirus and with Malwarebytes for example. Better be safe than sorry.
Cheers!
I got sent a link as well by a trusted friend. didn't click it obviously as it was obviously BS. but this seems to be another URL they use.
DeleteObviously, DO NOT CLICK:
http://uploadscreen.com/img_72938.png
Why should you reinstall steam if your items are hijacked??
Delete@Anonymous #1: nice catch!
Delete@Anonymous #2: in some cases, certain .VDF files (config files that Steam uses) are edited by the malware. If your items are hijacked, you can assume those files have been modified and it is best to either restore them to an earlier date (with a Shadow Copy for example) or to reinstall Steam.
I´ve got the same massage from this guy:\u272a metrozen
DeleteBe carefull and if u notice him please ban him in any game and so on so that he isn`t able to give more and more people this message:
\u272a metrozen: Hello friend. I want to buy your item http://uploadscreen.com/img_72938.png (screenshot) or exchanged for Asiimov?
But I´ll bet his name is just a fake name!
Hi James,
DeleteYep, those are indeed all scammer accounts, made by bots and there exist a lot of them. If you encounter them, don't hesitate to report them.
Cheers!
Hey, Bart. I also had this link on my Steam: Hoth'Raka 5 hours ago
DeleteHi bro you need it? http://captures-web.com/screenshot.png .. . ... that guy is level 7 on Steam also, and that's really bad that he got infected.
Hi Kelem,
Deletethanks for your feedback! If you are friends with that person on Steam, feel free to refer him/her to these steps:
http://bartblaze.blogspot.com/2014/11/malware-spreading-via-steam-chat.html#Remediation
Interesting, two different variants of steamstealer. I had a completely differently behaving one just this saturday. http://linustechtips.com/main/topic/250771-steam-hacked/page-3#entry3438693
ReplyDeleteInteresting indeed, I haven't completely disassembled the files above, but I did see it was also a .NET application.
DeleteDo you have a hash to share by any chance? Cheers.
Sadly not, I deleted the executable as soon as I had written up that post. The original file seems to be gone now; the link that used to spread it comes up with a 404. However, I did find this malwr.com analysis with matching filename: https://malwr.com/analysis/ODVlY2JkYjUxOTU1NGYyY2IwMTRiYjZmNTA2NjU0OTk/
DeleteThat's looking to be it; it has a recent date and is also a .NET application.
Thanks, looks like that file indeed. I'll check it out.
DeleteI was also about to contact Valve to include an extra checkbox like for example "warn me about external links". Checked by default, but uncheckable of course... It's something. Did you hear back from Valve?
Cheers!
I do think it does that with URLs containing the word "steam", and possible others, too. I did hear back from them; they said they were working on preventing applications from abusing Steam's resources this easily, as well as track the accounts that stole valuable items using steamstealer.
DeleteI got this message from some random dude on steam:
DeleteWhat's up? A few days ago I played with you , and took awesome screenshot of you! You can download screenshot here - drive.google.com/folderview?id=0ByRcUdAPR4i5Z0ZmalFCMG1pMEU I think you can even use it as avatar on steam. Tell me, if you like it :)
I think its a scammer because the profile is trash and I have never seen him before and he also didnt specify which game "we played".
Thanks Anonymous, it's confirmed malware as well. If you still happen to have the account which spammed you with it, please feel free to comment it here.
DeleteSome new scammers are online. I got this. Behind that jpg is a .scr file. Today it was got by 3 AV companies. I hope it get banned soon. Check out on VirusToal
ReplyDeleteHi, i want to trade for my items Dota 2 / CS GO, all i have on screenshot http://screens-save.ru/image_047.jpg , have DC hook, arcanes, BattleFury, sets, AWP, Knifes. If interested, look at the screenshot and write me.
Thanks for the report! I will check it out as soon as possible.
DeleteRegards
Looks like this one (it's in Indonesian) but it could easily be translated into Englsih: https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=rndc.or.id%2Fwiki%2Findex.php%3Ftitle%3DAnalisis_Singkat_Malware_Steam_Stealer&edit-text=&act=url
DeleteYes, looks like it. Apparently, this variant also does not use obfuscation.
DeleteFor the record, the sample's MD5 hash is:
c785a872801fca731b5bbeee877b6a6d
Everything has been reported to Valve, thanks for your comment!
Got this today too
Delete2 people tried to do this to me..they send the link and i click it and it download the screensaver.png but i didn't open it as it ask for admin access, i deleted it
ReplyDeleteAm i safe or did the virus still get in my computer?
Hi Akbar,
DeleteYes, if you didn't run it then you should be safe.
To double-check, you can always run a scan with your antivirus and with Malwarebytes for example.
Regards
Hi, I've need "hacked" recently may i know if it would end after the person took my item?
ReplyDeleteHi,
DeleteIf you indeed notice items are missing, check your Trade History and open a ticket with Steam/Valve to report it.
Secondly, uninstall Steam, run a scan with your antivirus and double-check with another (Malwarebytes for example), then install Steam again and change your password.
I've reformatting my PC so does the "scammer" have anyway to try to take my items again?
DeleteNo, there is no way the scammer can take your items again after you've reformatted your machine AND change your Steam password.
DeleteThanks you're the best.
DeleteWill that person get my email and password when they hack me? (not steam)
ReplyDeleteHi,
DeleteIn the variants I've seen no other email addresses and passwords are stolen.
However, it is a good idea to change your Steam password as well as on the sites where you used the same password.
I also got scammed via this link
ReplyDeletehttp://fastpicture.net/5oj9B4342.png/
there is a .scr file behind:
screenshot-5oj9B4342.scr
my items are lost but i opened a steam support ticket though. The hacker also writed a phishing link to my friendslist members in my absence during last night.
Also i did a report on SteamRep:
http://forums.steamrep.com/threads/report-76561198159646942-csgo-counter-strike-global-offensive-items.84994/
Where u can find further information about it.
I changed my password a 2nd time from a non-infected PC. Today i will clean my PC with follwing these guides:
http://steamcommunity.com/sharedfiles/filedetails/?id=288873991
http://www.selectrealsecurity.com/malware-removal-guide
So have i forgot anything that i could make? Do u need more information?
I just want my skins back and get the hacker busted.
Hi Anonymous,
DeleteBesides opening a ticket with Steam/Valve, you should perform:
- a scan with an antivirus and Malwarebytes (for example)
- only AFTER the malware has been removed, uninstall Steam
- change your Steam password
- install Steam again
- de-authorize any unknown machines
Then you should be safe after performing these steps. If you have issues with any of these steps, or the malware cannot/is not removed, don't hesitate to let me know.
i also got hacked, all items lost.. Do i need to delete the steamapps folder too?
ReplyDeleteNo, that is not necessary (normally).
DeleteI found this one scammer, here is full steam chat log.
ReplyDelete============================================================
Monday, December 01, 2014
Synapse: What's up? A few days ago I played with you , and took awesome screenshot of you! You can download screenshot here - http://d.pr/11RXa I think you can even use it as avatar on steam. Tell me, if you like it :)
Tuesday, December 02, 2014
Synapse: What's up? A few days ago I played with you , and took awesome screenshot of you! You can download screenshot here - drive.google.com/folderview?id=0ByRcUdAPR4i5Z0ZmalFCMG1pMEU I think you can even use it as avatar on steam. Tell me, if you like it :)
============================================================
I think every day he will send a message like this. Probably 12:00 midnight on the dot, viruses have never really been good at being subtle. However, I did notice the link changed between messages. They are constantly changing the link to "be sneaky."
Tell me if you get anything on this.
Hi Nathan,
DeleteSeems like the same malware indeed - the link is also still live. Usually Google Drive is (more or less) pretty fast to clean up though.
Cheers
Hey Bart,
ReplyDeleteToday I wasn't thinking straight and also downloaded a Malware. I downloaded it from this website: http://eldevinmmo.eu/ ( obviously a malware, be careful people :p )
I downloaded the "game" and my items were gone immediately. I tried a lot of malware scanners but none found something. Could you please check the file for me? I need to know if it does anything else then trading my items and what I can do to prevent it the next time (because I am not sure if it is deleted)
Hi Anonymous,
DeleteI've investigated the website (and downloaded sample) and can confirm it's malware.
This one seems to only reside in memory, so delete the downloaded file AND clear all your temporary files. (use a program like CCleaner for example)
Afterwards, change your Steam password to be on the safe side. Also contact Steam/Valve in the hopes to retrieve your items.
When you check your trade history, can you send me the profile to where it got sent to? If still possible, cancel the trade.
Hey,
DeleteThanks for the answer and sorry for the late respons! Here is the profile to which my items got traded too:
http://steamcommunity.com/id/senamm
I wasn't able to cancel the trade offer because it got instantly accepted. I cleared my temp files immediately after so I am happy that the malware is gone. I sent Valve an email and they are willing to give my items back, but Valve isn't the fastest when it comes to customer service :(
Thanks a lot!
Hi Anonymous,
DeleteIn that case you should be safe again indeed. Hopefully you'll recover your items!
My pleasure and should you have any other questions don't hesitate to let me know.
Regards
Hey Bart,
ReplyDeleteThis just happened to me, someone in my friend list which got a dc hook and some expensive stuff suddenly msg me and ask me to open this http://fastpicture.net/5oj9B4342.png/
which i download and try to opened it, it said its an Autocad Script file so i opened it but it open a notepad file instead.
From the comments above i think its a phising link, i already remove the file that i downloaded earlier,
download a malware removal from https://www.malwarebytes.org/mwb-download/
install it immediately, scan my PC, remove all the malware it has found, then whats next? pls reply asap before they take my stuff thanks bart
Hi Anonymous,
DeleteSeems like you have a newer variant of the SteamStealer malware.
In this case, a version of NetSupport was installed. You need to do the following:
- Open Task Manager and kill a process called "client32.exe".
- Go to the folder location: %appdata%. In here is a folder called "sysfiles". Remove this folder manually. (this folder is hidden)
- Go to the folder location: C:\Program Files and remove the folder:
"NetSupport". Also check in the folder C:\Program Files (x86) if there is a NetSupport folder.
- Clear all your temporary files. (use a program like CCleaner for example)
- If still possible, cancel any trades in Steam you haven't added yourself.
- Reboot your machine now. Reinstall Steam. Change your Steam password. De-authorize any unknown machines in Steam.
After all this, contact Steam/Valve in hopes of retrieving your stolen items (if any).
Let me know if you have further questions or something is unclear.
Regards
Hey Bart its me again,
ReplyDeletethanks for the fast reply, well i clicked that link after he went offline then after i realize something is wrong, i immediately remove him as friend and block him, well then after that i do all the stuff i mentioned earlier.
Now the thing is there is no client32.exe or the netsupport stuff in my pc currently
And there still no trade offer made by my account, i asked a friend of mine and he is pretty sure that my pc already safe since no items transferred yet.
thanks for the help Bart, does anyone else got the same problem as i do?
Hi Anonymous,
DeleteSounds like you may have been lucky and the malware was not able to connect correctly to the server.
After you've checked there are no traces of NetSupport nor malware, it is safe to assume your Steam account is safe.
I've already encountered several cases, most of them more or less the same - but yours is a new one. Thanks for the report and don't hesitate to ask should you have any further questions!
Cheers.
hey Bart,
Deletethanks a lot for the help, its been like 2 days and i think no items were transferred anywhere since if he got access to my steam of course he already took the 200+ trash rares, uncommons, commons stuff. But something still bugging me, u assume it is safe just like my friend, may i know how sure u are? if its 100% then im gonna take my stuff again from my friend's smurf, thanks again bart
Hi Anonymous,
DeleteIf you've followed all the steps in my comment earlier (including re-installing Steam and changing your password), then I'm 99% sure your machine is safe again.
I'm saying 99% sure because I haven't looked at the machine myself, but if you haven't experienced any strange behavior in the mean time, you can be pretty sure it's safe - especially if MBAM, your antivirus and preferably another online antivirus didn't find anything.
Regards
Hye bart , this just happened to me yesterday :( someone comment on my steam profile says he wanna trade with me i clicked the link ! and i get this some weird pic and then i shut down my laptop and went to bed -,- after that i got a text from my friend saying that i send them a weird message with link and they told that it could be about the new malware virus that i din't knew ;/ so i on my steam n check everything was fine and still got my games items n all so i change my password after that n because i thought i was being hack i was soo panic n i activate that act steam lock which will restrict doing stuff in my steam act and then after i activate that i restart my laptop and then i cant online my steam chat ??! or even text my friend at steam !! D: wtf ?? so basically all mt games still got n my inventory just my chat prob n i'm sure that malware still got in my steam act :( and about the chat prob is it because i turn on that steam act lock ?? and there's one more thing i want to tell you .. earlier this morning my friend saw i was online at steam and when i open my steam it still offline :( and then my friend told my online status was like 1 hour ago( she told me i just online only and dint send any weird shit link her her o-o wtf since i activate the steam act lock like how the heck i could be seen online even i tried to online just now and it just can't at the chat??) ? but before that it was like 9-10 hours ago and i re-check my item n games in steam it still there .. so basically right now i'm waiting the steam support to remove my steam act lock which i hope i did it correctly and could u tell me how to do it correctly like how to prove them i'm then owner by sending them CD keys ? i dun have that i wanted to prove them with my credict card visa but how ? the's no option during i wanted to write that steam support help and i tried myself to remove that malware message virus shit from my steam by this blog i found http://deletemalware.blogspot.com/2014/11/remove-steam-messages-virus-malicious.html while scanning around 2 hours++ i had to register n pay for it ! ughh how am i going to remove them ??? :( please help me i,m scared to loosed my steam ! is there really no way to remove that malware virus from my steam account ?
ReplyDeleteHi Luna,
DeleteFirst of all, what is your Steam account or the URL/link you clicked on? Do you still have this? If so, I can check it out and see what exactly happened.
Secondly, the link you included here is for a download of SpyHunter, which is not exactly trustful software. Remove this program from your machine.
Then, run a scan with Malwarebytes:
https://www.malwarebytes.org/mwb-download/
In regards to your question: no, if you activated the Steam lock then you will still be able to chat or send messages normally. However, you cannot trade items or purchase games. More information:
https://support.steampowered.com/kb_article.php?ref=6416-FHVM-3982
In regards to you being online to your friend but you were actually offline, check out this comment and follow the steps also:
http://bartblaze.blogspot.be/2014/11/malware-spreading-via-steam-chat.html?showComment=1418569709415#c224237205792278011
About you losing your Steam account: do not worry, you will not lose it. Since you also changed your password, you should be pretty safe now.
Follow the steps I indicated above and you should be fine :-). Don't hesitate to comment if you have further questions or doubts!
Regards
hye bart ! thank you so much for the fast reply and about the url/link i click on at my steam account i delete his comment from my profile and i reported him but here's the link i click on yesterday from my browser history ( im scared to click it again so i just copy n paste) here :-
DeleteLink 1 : www.push-me.com and on that time i click it i got this image name "TxNjdf8"(484x158) i.imgurl.com
i don't if that could help you :( and okey tq for the tip's and yes about my question since i activated that steam lock but why i won't able to chat or send messages normally ..but then how did my friend's saw me i online like just few hours ago ?! was it because that malware virus? and no my friend was online im the one can't online everytime i click my steam chat and i click "online" it refused to do it :( i don't know why i tried it a lot's of time but one thing was very weird this thing happened to me.. why it din't stole all my steam game's and inventory ? it just messing around with my chat and it stop spamming my friend with the scam link all it do just online on my steam profile and my friend still keep seeing it thought :/ .. but it was a good thing right ? that i activated that steam lock account.
Hi Luna! My pleasure.
DeleteNormally, in your browser history you can also view the full URL by expanding it. If possible, can you gather me that one? If you are too scared you will click it again, no problem - then just delete your browser history.
Depending on the type of variant of this SteamStealer malware you had, you may have been lucky. Some variants only steal & trade valuable items, others are out to steal your Steam account.
If you follow ALL the steps in my previous comment (Malwarebytes scan, checking for NetSupport), but also clearing up all your TEMP files and re-installing Steam (I advise you to do this, just to be sure), then you should be safe.
If your friends saw you online but you weren't, it's possible someone at the time logged in to your account.
Regards
wow and yes it really just keep online and offline like that
Deleteand okey thank's again and i will do as you said and yes i've just installed Malwarebytes scan and Do the Netsupport soon and clearing the TEMP files and should i revoke the steam lock account now (doing that would took week's thought and while waiting the steam support to reply me ;/) or just leave it temporally ?
but since you've said i can still accessed the chat even in the steam lock? are you sure ? o: and lastly i would like to ask after i've complete followed your step and if i can start online n chat again and when later i removed the steam lock .. will my steam really be okey ? i'm just scared if the malware would be still exist :(
Hi Luna,
DeleteBefore revoking the Steam lock account, run the scan with Malwarebytes and the other steps I provided.
Only AFTER those steps, you can revoke the Steam lock account. When that is done, I would also reinstall Steam. And yes, according to Steam itself you should still be able to chat.
And yes, after all this you will be safe again! :)
Thank's Bart ! :)
Deletebut let's say after i succeed got my steam back and the chat is back to normal and i think it would take week's to revoke back the steam lock.
but just to make sure if my steam is really safe and malware free? how am i going to confirm that?
should i give you a link to my steam profile ?
Hi Luna,
DeleteHave you followed all the steps from above? If so, then you can be quite sure you and your computer are back to safety again :)
Regards
HI Bart ! ,
DeleteAnd yes i've cleared the temp files , used the malwarebytes many time and scan my whole laptop with AVG anti-virus and i have reinstall steam and it's still the same..
i still can't online my steam chat and send message and my online status last seen still the same . always with last online "1 hour ago , 15 min ago or like 55 seconds ago" :(
Hi Luna,
DeleteDo you know if AVG and Malwarebytes detected anything?
In regards to the issue with Steam that you can't chat: this is something you have to pick up with Valve, maybe they have to lift the lock on your account.
Cheers
yes they did detected a few stuff in my laptop and files and i have delete it them all.
Deleteand hmm yes i think it's because of the steam lock ( and nope haven't lifted yet they haven't reply my steam support report ) but if so i can't online why would the online last seen status would be like that ? just now i check my steam profile it's says my last online 24 hours ago (it should be like my last online "5 days ago" even since i locked my steam account) and i check my chat tab and it say's last online was 13 minute ago ?? is it because of the virus still there??
Hi Luna,
DeleteAre you perhaps logged in to Steam via your browser? (so not via the Steam client)
you mean web browser ? erm.. no just logged in normally with the steam app on my laptop .. :/
DeleteHi Luna,
DeleteYou will probably be displayed as online if you logged in to either your browser or via the Steam client, I don't think it depends on you being able to access the chat or not.
If you want, you may always post the logs from the scans here so I can confirm it removed the SteamStealer malware.
I'm afraid that for the chat issue, you'll have to await reply from Valve :(
Oh , hmm i see i guessed it is.. or maybe the malware the one messing with my chat. but i think it should be alright since all my stuff in steam is still there
Deletebut anyways i'm going send my laptop for a check-up and for my steam at computer shop . but thank you so much for helping with my problem !! ♥(ノ´∀`)
and just a final question , did anyone had the same problem as me ? ._. or just the normal with the chat scam spam and the item got stolen..?
Hi Luna,
DeleteMy pleasure! An extra check-up never hurts of course.
There have been quite a lot of people with items that got stolen. Some users have reported other strange behaviour, so you are very likely not the only one with this specific issue.
Don't feel bad about it, it can happen to everyone and the most important thing is nothing got stolen. :)
Feel free to leave a comment if you're in need of help or have other questions, I'd be happy to help.
Cheers!
Oh i see.. , and yeah ! :)
Deleteand i left a reply at your twitter by the way i wanted to show you how the weird problem i got look's like . ( that chat last seen ) .
Hi Luna,
DeleteHopefully your computer is now fully restored after the check-up.
Happy gaming!
Oh ! i got the link that you asked , i copy this from my steam friend profile and this was kinda the exact comment (but different link) i got at my profile but different scammer that posted it :
ReplyDeleteAnali 13 Dec @ 9:05pm
Hi m8, i want trade with you. need this items?
www.puush-me.com/images/image_54128.png/
Hi Luna!
DeleteThanks for the link, I will check it out soon and let you know if it does anything specific.
hey luna and bart i got hacked and sending message to everyone like that because i clicked on my friend chat and then i run the program, and then i abort it bcz i got scared, i check my inventory its still there after that i log out and delete and then i do the malwarebytes thing and right now what i should do i still had no idea what i need to do right now-_-
DeleteHi Anonymous,
DeleteDid Malwarebytes detect and remove anything?
detect and added to quarantine
DeleteExcellent! Do you know the name of the detection by any chance?
DeleteNormally however Malwarebytes is able to delete this malware, as most Antivirus vendors.
After the malware has been cleaned, change your Steam password and check if any items from your inventory are missing.
Hi Luna,
ReplyDeleteI've investigated the sample and, if you follow the steps from my comment above, your Steam account and computer should be safe again. See:
http://bartblaze.blogspot.com/2014/11/malware-spreading-via-steam-chat.html?showComment=1418734868156#c8137556870041964039
Regards
If you need that Steam Stealer builder you can download it from here:
ReplyDeletehttp://steam-hacker-src-2014.blogspot.in/
Thank you Sumit, I will check it out!
DeleteHi I've been hacked, luckily my friends told me its a virus so I went up, checked online and found this site!!! (thank god!)
ReplyDeleteThe link to the virus is: http://pictures-url.com/?screen=img_65577014_192422
Even though I deleted it in my downloads folder.
Steam items disappeared, so now I'm uninstalling...
Also as soon as I finish uninstalling and installing I'll send the name of the person who sent me it.
my stuff are gone and the link was sent to everyone on my friend's list! I hope I dont get reported for that :/
Hi Anonymous,
DeleteYou might get reported for it, so I advise you to open a ticket with Steam/Valve to prevent this and also in order to get your items back as well.
Don't forget to run a scan with an antivirus and also with Malwarebytes for example to be sure the malware is gone.
To be sure, also change your password. Let me know should you have further questions!
I got hacked like this because i run the file or the thing after that i aborted it and it send a message in steam to every one and the message: do you like to trade m8, (i forgot the link) u may like to see the picture
ReplyDeleteHi Anonymous,
Deletethen be sure to follow the steps here in order to remove the malware and get your items back (if anything got stolen):
http://bartblaze.blogspot.com/2014/11/malware-spreading-via-steam-chat.html#Remediation
i got the hackers acc http://steamcommunity.com/profiles/76561197999790513
Deletecan u help me report him?
DeleteHi Anonymous,
DeleteYes, he will also get reported. Cheers!
I've had something similar a while ago and so did my friend, someone asking us to trade and giving us a link to a steam website with a minor alteration like instead of steamcommunity.com (not sure if thats the correct website but lets pretend it is) they send something stupid like steamvommunity.com or steamcomunity.com all look similar but with a single letter difference so thats another one you need to look out for, luckily for us we aren't the people to click on random links and got away safe from this, but they are hard to notice so make sure if someone sends a link to always review it fully.
ReplyDeleteYep very true. There are a lot of so-called typo-squatting domains out there for steamcommunity.com.
DeleteMostly they are simple phishing, in a few cases I've seen phishing and malware combined.
Thank for your comment!
Just thought I'd share some of the snooping I've done on these SteamStealer trojans.
ReplyDeletehttp://pastebin.com/8hbVKEaw
Hi lolcakes,
DeleteGreat catch indeed! Got a ton of those as well, still gathering more and more each day... Eventually they all need to be reported (and to Valve as well).
Thanks!
Hi Bart
ReplyDeletetoday is my bad day
when i go to steam, my friends send mesage, like this
http://imagefrost.su/42g34h2jd312s22be.jpg
and when i download and open it, a lot of my items were gone
what should i do?
is this a new type of malware?
what should i do?
can i get my items back?
thanks a lot bart!
Hi!
DeletePlease follow the steps here:
http://bartblaze.blogspot.com/2014/11/malware-spreading-via-steam-chat.html#Remediation
In this case, you will have to do them all (including reinstalling Steam). Also contact Valve in order to get your items back:
https://support.steampowered.com/newticket.php
Let me know if you have further questions. Cheers!
Hi!
ReplyDeleteI think I have clicked and run one of these malware spreading via steam chat and it looked like these:
I wanna trade with you these items: http://screenst.com/screen_86141.png
I still don't know what happen to my computer or steam acoount when I did download and run it because I don't have seem to find any changes but I still want to delete it from my steam chat because it spread to my friends.
I want to remove it what should I do? Please help thank you.
Hi Anonymous!
ReplyDeleteFirst of all, follow the steps here immediately:
http://bartblaze.blogspot.com/2014/11/malware-spreading-via-steam-chat.html#Remediation
The last 2 steps are probably not necessary in your case. Let me know if you have further questions. Cheers!
Thank you for your help, it seems that when I run it to my computer it also runs a malware virus. I've seen it in my task manager process and I did a scan using anti-malware and quarantine and fix it.
DeleteMerry Christmas to you Bart. :))
Happy to hear your problem is solved and my pleasure!
DeleteMerry Christmas.
today i got same link and i pressed ... but nothing happened .. trovi not find bla bla .. no download no nothing .. i got malware bytes and scaned .. nothing .. i'm in danger ?
ReplyDeleteDouble-check if none of your Steam items are missing. To be sure, do an extra scan with an antivirus and change your password if you deem it necessary.
DeleteOtherwise, you are probably safe and the file is in your Downloads folder (or where you saved it). Just delete that file.
hi i got this message just now i accidentally opened it. after that the link spread to all my friends and some of my item in dota 2 gone what should i do?? and is there any possible way to bring back my item or how can delete those spread links?? pls reply me in my gmail spbabydoll125@gmail.com thank you so much
ReplyDeleteHi Anonymous,
DeleteFollow the steps here immediately:
http://bartblaze.blogspot.com/2014/11/malware-spreading-via-steam-chat.html#Remediation
Contact Valve afterwards to get your items back. Let me know if you have other questions!
How long did it take you to get your items back, Anonymus?
DeleteHi, I was just browsing this blog and curiously opened one of the links someone posted, I dont have steam installed on this machine. Am I safe?
ReplyDeleteHi Anonymous,
DeleteYou are safe in the sense that no password(s) or items from Steam are stolen. I still advise you to perform a scan with your antivirus and with Malwarebytes for example, as you still have malware.
good post, thanks
ReplyDeleteHey. Like an idiot, I clicked the link. Here is the message I got with the link below.
ReplyDeleteDO NOT CLICK THIS LINK
* Hi i want trade with u this item http://pictur-web.org/screenshot_854251.png *
I ran my antivirus and malware programs, changed my password from a different computer and deauthorized all other devices from a different computer. I also sent Steam a ticket telling them what happened. I just wanted to make sure I am OK or if there is anything else I should do.
Hi Anonymous,
DeleteIndeed, by following all those steps you described you should be safe again. In the case any of your items were stolen, I also advise to re-install Steam.
Let me know should you have other questions or concerns.
I followed through all the steps and so far nothing was taken. A friend of mine got the same thing but wasn't so lucky. I'll keep an eye out for the next few days to make sure nothing happened.
DeleteGreat to hear you've been able to remove the malware before it could do any real harm! As for your friend: when he follows the same steps as you did and re-installs Steam completely as last step, it should be fine.
DeleteAnd of course hope Valve will be able to return his stolen items.
For any other questions, don't hesitate to let me know.
Happy holidays.
Why reinstall steam?
ReplyDeleteIn some cases, several files belonging to Steam (.vdf files) are modified by the malware. In such cases, it is advisable to reinstall Steam in order to undo those changes and make your account 100% safe again.
Deleteit can also be called as atieclxx.exe, and also a simillar name. Watch out, people.
ReplyDeleteHi Bart
ReplyDeleteToday i got an friend request on steam from a guy called ´´d2bmna16´´ and he said that he wants to trade with me and he sent a link and said: Look at the picture and see what i have to offer! (something like that). And i fell for it and clickt on the link, it immedetly downloaded a file something .scr! And when it was downloaded i tried to open it. But my win 8 computer stopt me and said something like: We wont let you open this file because of potential threat! I tried open it again and the same message came up. So i dont think its running. I have changed pÃ¥ STEAM password . But what im most afraid of is that they gonna steal my father VISA that is conected to my steam account! The link was saying something like ''Madcash'' i have blocked and deleted d2bmna16. If you want me to send you the link, please tell me where i can find it!
Sorry for my bad english //David//Sweden
Hi David,
DeleteIn your browser history you'll be able to find this "madcash" website normally - if found, please post in your next reply.
As in regards to your father's VISA: normally such data is safe - I have not yet seen any indications this malware is able to steal those details.
First things first is to indeed follow the steps I've provided above, changing your Steam password - as you did- is a good start, but the malware should be removed first.
Have you seen any other behavior or were any of your Steam items missing?
Hi its David again!
ReplyDeleteI scanned my computer with ESET but find nothing, then i scanned with malwarebytes and it find 4 things
Stolen Files (Written in red text)
Stolen Files (Written in red text)
Stolen Files (Written in black text)
Malware.Trace (Written in red text)
If you want more info tell me!
Hi David!
DeleteThat seems great! To be sure, you can always attach the Malwarebytes log and I can have a look.
* Open Malwarebytes, click on the History Tab at the top and select Application Logs.
* Check the box next to Scan Log. Choose the most current scan and click View.
* Copy/paste the content of that log (the one where it indicates Stolen Files) in your next reply.
Cheers!
Update, 2014-12-30 21:20:09, SYSTEM, DAVVE, Manual, Remediation Database, 2013.10.16.1, 2014.12.6.1,
ReplyDeleteUpdate, 2014-12-30 21:20:57, SYSTEM, DAVVE, Manual, Rootkit Database, 2014.11.18.1, 2014.12.29.2,
Update, 2014-12-30 21:20:59, SYSTEM, DAVVE, Manual, Malware Database, 2014.11.20.6, 2014.12.30.8,
Scan, 2014-12-30 21:25:03, SYSTEM, DAVVE, Manual, Start:2014-12-30 21:20:10, Duration:3 min 3 sec, Threat Scan, Completed, 4 Malware Detections, 0 Non-Malware Detections,
Scan, 2014-12-30 21:29:10, SYSTEM, DAVVE, Manual, Start:2014-12-30 21:25:54, Duration:3 min 15 sec, Threat Scan, Completed, 0 Malware Detections, 0 Non-Malware Detections,
(end)
(DOnt Know if that was what you wanted)
I cant find the madcash thing in the history (control+H). How do i find it?
I havent seen any things been deleted from my steam account!
Please reply if you want to know more :D
Cheers! /David
Hi David,
Deleteseems that's not the most recent log. Can you copy/paste the log where those detections are made?
Cheers!
Self-protection: Disabled
ReplyDeleteOS: Windows 8.1
CPU: x64
File System: NTFS
User: ProGamer
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 357540
Time Elapsed: 3 min, 3 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
Processes: 0
(No malicious items detected)
Modules: 0
(No malicious items detected)
Registry Keys: 1
Malware.Trace, HKU\S-1-5-21-2012611325-4133616438-3897981217-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\DC3_FEXEC, Quarantined, [7d896bd3403c2e08d30968b0a75d8f71],
Registry Values: 0
(No malicious items detected)
Registry Data: 0
(No malicious items detected)
Folders: 1
Stolen.Data, C:\Users\ProGamer\AppData\Roaming\dclogs, Quarantined, [c046ba846f0dcc6a345550f71de7a858],
Files: 2
Stolen.Data, C:\Users\ProGamer\AppData\Roaming\dclogs\2014-12-23-3.dc, Quarantined, [c046ba846f0dcc6a345550f71de7a858],
Stolen.Data, C:\Users\ProGamer\AppData\Roaming\dclogs\2014-12-24-4.dc, Quarantined, [c046ba846f0dcc6a345550f71de7a858],
Physical Sectors: 0
(No malicious items detected)
(end)
I have one more log if you need!
And how do i find the link? I cant find it in CONTROL+H! Help!! How do i find it??
//David
Hi David,
DeleteIf the link's not there in History, can you check in downloads history in your browser? (default ctrl+j) If you still can't find it, don't worry about it.
This log doesn't indicate the malware got disinfected, only traces. I advise you to run a scan with an online antivirus of your choice.
Let me know should you have further questions.
Hey Bart, I was sent this malware through steam and was stupid enough to run it. All my items are gone. I did a threat scan with malwarebytes and it says that there are no items detected. Please help me remove it. This is the link ---> www.csgoskinduplication.com NOBODY CLICK THAT LINK PLEASE EXCEPT BART SINCE HE KNOWS WHAT HE IS DOING. I DO NOT WANT ANYONE'S SKINS TO GET STOLEN!
ReplyDeleteHi raaga8,
DeleteFollow all the steps here provided in my post:
http://bartblaze.blogspot.com/2014/11/malware-spreading-via-steam-chat.html#Remediation
I can indeed confirm this is malware.
As far as I could see, this malware only resides in memory. Thus:
- Open Task Manager, kill a process named "Brutality CSGO.exe"
- Clear all your TEMP files (use a program like Ccleaner for example)
- Perform a full scan with your Antivirus and another online Antivirus
- Reinstall Steam (do this first) and change your Steam password.
Send a ticket to Valve explaining your situation as well. Let me know should you have any other questions.
Cheers!
Hey Bart, THANKS A BUNCH FOR THE IMMEDIATE RESPONSE! There was no process called Brutality CSGO.exe in my Task Manager. I ran Kaspersky anti-virus and it removed like 5 things. I then ran malewarebytes and it did not remove anything. I ran CCleaner and i cleared my web data and my windows TEMP files and some other things. I re-installed steam and changed my password. Is there a way to ENSURE this malware is gone and out of my system? And will valve give me my items back which were worth around $50? THANK YOU SO MUCH BART! I truly appreciate you and how you are helping others so willingly!
DeleteUPDATE: I checked my scanlog in kespersky and it removed a trojan called " duplicator.exe " I think it was that.. But I still want my skins back, is it guaranteed valve will give them back to me?
DeleteHi raaga!
DeleteTo ensure this malware is completely gone off your system, I'd recommend to do another online scan. I've noticed Eset does pretty well in detecting those SteamStealers. You can use their online scanner here: http://www.eset.com/onlinescan/
And yes, Valve will indeed return your items - though I do not know how fast they are in returning them. I advise you to include as much information as possible in your ticket.
Hey Bart, there was no process called " Brutality CSGO.exe " I ran Kaspersky Anti Virus and it removed 5 things including a Trojan file called " duplicator.exe " ( I'm pretty sure that's the file ) I ran malewarebytes and it did not detect anything. I then ran CCleaner and it cleared my web history, cache, and Windows TEMP files. I then uninstalled steam, ( had to re-install my games ;-; ) Is there a way to confirm 200% that the malware is gone? And will valve give me my items back? I really want them back as I spent $50 on them.. Thanks a bunch, Bart! I appreciate what your doing tremendously and I'm sure other people do as well!
ReplyDeleteHi raaga,
Deletesee my comment above (or see):
http://bartblaze.blogspot.com/2014/11/malware-spreading-via-steam-chat.html?showComment=1420057267424#c4505971883451366798
My pleasure in assisting you and others! Let me know should you have other questions! :)
Cheers.
I found the download! https://doc-0c-0g-docs.googleusercontent.com/docs/securesc/5lidpqcke90acmhem0afrhvhbabtr599/1475cvbuar63m5s900pqag21mes59cre/1419962400000/10985447984494720991/12969645973866962906/0B1HAQwFLNzhaWmR6TVQ2YS1LenM?e=download&nonce=lpfvi6bm7cema&user=12969645973866962906&hash=72c13pes9m9t6qfv3l2sbqat1509k9av
ReplyDeleteImage_5423425.scr
How do i scan with online antivirus? Any advice on wich i should use? Link to it!
You can also tell me about this link that i sent so i know for the next time! :D
Thanks //David! HAPPY NEW YEAR
Hi David,
DeleteIs that the complete link? I wasn't able to download anything from it. Thanks for digging it up!
I've noticed Eset does pretty well in detecting those SteamStealers. You can use their online scanner here: http://www.eset.com/onlinescan/
Simply click Run ESET Online Scanner and follow the instructions. Let me know should you have any other questions.
Happy New Year as well! Cheers!
Thanks! And i'm so sorry for posting so many comments... My replies were not showing up so I got impatient :3
ReplyDeleteAnd also, what info do you recommend I put on the ticket ? Sorry for troubling you so much, I just really want my skins back.
ReplyDeleteHi Raaga,
DeleteAs much information if possible, for example:
- your Steam username (normally already filled in)
- date/time when it happened
- list of items that got stolen
- screenshot from the message you got or link to the profile of the spammer.
- You may also refer to this blog post.
This information should be conclusive but if not - Valve will surely ask for additional information if needed.
Cheers!
I have scanned my computer with ESET online scan and find nothing!
ReplyDeleteAm i safe now?
Hi Anonymous,
DeleteDid you also double-check with Malwarebytes?
It was me :D
Delete//David! And yeah i have scanned my computer with malwarebytes too today!
Hi David!
DeleteIn that case, the malware seems to be completely removed from your system.
Let me know if you have more questions! :)
Thank you so much Bart! You are the best! Keep up the good work!
ReplyDelete//David
My pleasure David. Happy gaming!
Deletethank you thank you thank you!!
ReplyDeleteHi, its me again bart! This is just a random question. If ESET say URL blocked? Am i safe from viruses or what does it mean?
ReplyDelete//David
Hi David,
Deleteexactly what it says: a malicious URL has been blocked and Eset prevented you from being infected from that link.
Feel free to copy/paste the detection report. In short: if you see this pop-up, Eset prevented you (or a program) from visiting a malicious link.
Cheers!
https://www.virustotal.com/en/url/060ac8352696ccee33c7d2620dd3af0b6feabaf267296e2464f2c8315bfb7eae/analysis/1420491756/
ReplyDeletescanned in link there from a bot today.
http://steamcommunity.com/profiles/76561198204383052/
That's the profile that sent the link btw....
and chat below *copied everything in including the infected file link*.
COLH3R :3: Hi man
i am trader, im trading my Unusual tf2 hat, DC HOOK and i have very RARE M9 Bayonet Slaughter (FN) i checked your items and i think what we can trade with you
check my offer at screenshot
http://images-saver.com/screenshot_0415.jpg
COLH3R :3 is now Offline.
COLH3R :3 is currently offline, they will receive your message the next time they log in.
|GM| -M-m-: infected jpg image lel
Thanks for sharing Marcus! User reported and sites + malicious files flagged.
DeleteGot sent this today from another bot...
ReplyDeleteCOLH3R :3: Hi man
i am trader, im trading my Unusual tf2 hat, DC HOOK and i have very RARE M9 Bayonet Slaughter (FN) i checked your items and i think what we can trade with you
check my offer at screenshot
http://images-saver.com/screenshot_0415.jpg
COLH3R :3 is now Offline.
COLH3R :3 is currently offline, they will receive your message the next time they log in.
|GM| -M-m-: infected jpg image... lel noob
https://www.virustotal.com/en/url/060ac8352696ccee33c7d2620dd3af0b6feabaf267296e2464f2c8315bfb7eae/analysis/1420491756/ virustotal link to show the results.'
seems to hide rather good but not good enough, also who belives a lvl 0 account with profile set to private to have a TF2 unusual or similar high valued item from any other game...
Yep, that malware sample was pretty much undetected, but already better now.
DeletePretty obvious those are scammers, as you said very low level and set to private, usually only 1 or 2 games as well with high value items should ring an alarm bell.
Thanks again for your comment!
if the download was blocked by smartscreen when i tried to run it, am i OK? thanks
ReplyDeleteHi Liam!
DeleteYes, if SmartScreen blocked the download or execution of the file, you are safe.
Thank the lord that I Mywot every link that comes my way
ReplyDeleteYep, Mywot/WOT is an excellent tool! Cheers!
DeleteIf I fully downloaded the .scr but DID NOT open the file did I get the virus?
ReplyDeleteHi Anonymous, no you did not get the virus. Simply delete the file and you are safe.
DeleteCheers!
Hello Bart,
ReplyDeleteI recently received a phishy link as well. I have trend Micro and it said basically the file has malicious software and was deleted.
Am I safe?
Hi Anonymous,
DeleteYes, if Trend Micro indicated the file as malware and deleted it, your are safe!
Do you still have the phishy link or a screenshot of the conversation by any chance?
Cheers :)
Hi,
ReplyDeleteI got the message from Cornwallis : "Hello friend. I want to buy your item http://uploadscreen.com/img_72938.png (screenshot) or exchanged for Asiimov?"
link toggles download of some .src file (I declined it, so I think I am safe)
Sent report to Steam.
Hi GinTonic,
DeleteThanks for your feedback! To confirm: yes, if you declined the download, you are safe.
Cheers.
I recently got hit by a file with the .scr extension, it showed up as a picture of a butterfly knife, (CSGO), and replicated it to all of my friends, running antivirus as we speak. I do not have the link anymore.
ReplyDeleteHi robo9292,
Deletethe picture that is being shown is a decoy for the malware doing its evil work behind the scenes.
Follow the steps on this link to properly remove the malware:
http://bartblaze.blogspot.com/2014/11/malware-spreading-via-steam-chat.html#Remediation
Let me know should you have any questions or doubts.
Thank you for the speedy reply, I am interested in exactly how that the file did this to me, so I may prevent it in the future.
DeleteI did actually come across the link for the virus, here it is: http://uploadscreen.com/img_72938.png
DeleteHi robo9292,
Deleteit works by automatically making a trade offer for certain items (rare CS:GO or Dota2 items for example) and automatically accepting the trade.
In some cases, you may be in time to still cancel the trade; otherwise it's best to contact Valve and include as much information as possible.
In this case, the scam did not effect me surprisingly, only the people on my friends list, who had less valuable items than me, ideas?
DeleteHi robo9292,
Deletethe malware spreads itself regardless if you have valuable Steam items or not. So in that case you are "lucky" since none of your inventory would be missing.
However, some variants also attempt to steal your Steam credentials - hence why I also advise to run the scans & change password even when everything seems OK (after having run the malware).
Cheers!
Thank you for the advice and help. Have a good one!
DeleteMy pleasure and same for you! Cheers.
Deletecan u teach me how to use that??
ReplyDeletei want to revenge
b'coz i got scammed but that new scam trick
Hi Ariel,
DeleteWhat would you like to know exactly?
I just logged on to a message from a friend on Steam. It included this link: http://uploadscreen.com/img_72938.png DO NOT CLICK IT!!!!
ReplyDeleteNormally, I don't click links, but my interactions with this person fit with this type of link being sent to me. Immediately, a file download prompt appeared and asked me to "Run" or "Save". I noticed some text that said Google Docs. I clicked the "X", closed everything, and restarted my computer. After the restart, I changed my Steam password upon finding your site.
Is it safe to assume my account is okay since I didn't click Run or Save? Malwarebytes found nothing.
Hi Anonymous,
Deleteif you didn't click Run or Save then yes, you are safe.
Cheers!
Hey! I just got the virus from a very unsuspicious source ( from an in-game player offering me a trade and sending picture of the object ). However now my inventory is gone. I have ran several scans and all showing that my computer is secured now. However I'm having problems contacting steam support and changing password. Hope it works out soon. Is there any way I can get my items back and how do I know for sure the virus is gone? Thanks!
ReplyDeleteHi 99erre,
DeleteWhich kind of problems are you currently experiencing? In Steam, check your trading history and if still possible, cancel the trade.
Follow the steps on this link to know for sure the virus is gone:
http://bartblaze.blogspot.com/2014/11/malware-spreading-via-steam-chat.html#Remediation
Afterwards, open a ticket with Valve describing your issue. Let me know should you have further questions!
Hello, I know you've been riddled with questions over and over again. But I think my case is different. I got the link from a person I played with before, I sort of trusted them cause we played together for a good long while. But I realized it wasn't actually an image file but an .scr file while it was downloading. So then I immediately canceled the download when only around 35% was downloaded.
ReplyDeleteI'm currently scanning my PC with BITDEFENDER TOTAL SECURITY and MalwareBytes. Right after I cancelled the download I also ran CCleaner and Scanned For Issues with the registry tab, just in case any of the file was left on my PC. Do note, that the file was downloaded from chrome.
Should I be concerned? I will also change my passwords and such after the scans are finished. Unless you think I missed anything important that I should do first. Thanks for taking the time to reply if you do! Cheers.
Hi Anonymous,
Deleteif you got the link from a person you trust, they are most likely compromised or they had contracted the malware.
If you cancel the download, then you are safe as the malware will NOT execute itself. Even if the malware was downloaded, you can still delete it afterwards as well. As long as you don't execute/run it, you're safe.
Changing your passwords once in a while is a good step to take in any case. In short: you are safe and do not need to be concerned.
If you still happen to have the downloadlink somewhere, feel free to post it so I can check it out - also if you have other questions just let me know.
Cheers!
Hi Bart,
ReplyDeleteI've gotten messages like this as well and I'm sure I already know the answer to this because a malware scan showed up as being clean but I just wanted to be sure: If I click on the link, go to the page but cancel the download before it finishes, could I still get infected?
Better safe than sorry, eh?
Thanks for the assistance in advance.
Hi Anonymous,
Deletethat's correct, if you cancelled the download before it finished you are safe.
Even if the file is fully downloaded - as long as you don't execute it you won't be infected.
You're perfectly right, always better safe than sorry.
Cheers!
Hi Bart,
DeleteThanks for your reply. I saw the answer to my question from your reply to the previous person's question 'after' I finished writing mine but by then my post was already processing. Haha, either way, thanks all the same for your response. :) You're doing a good thing here helping the steam community out against these unscrupulous scammers/hackers, good on ya mate and keep up the great work.
Cheers. :D
Hi Anonymous,
Deletethe pleasure was all mine! Stay safe and happy gaming! :D
Cheers.
Hi Bart,
ReplyDeleteI also got those messages and i had about 2,70Euros on my Steam account
now i have 0,03 -.-''.And one of my skins is away i think.
I started with a Kaspersky scan. Do you think i'll be ok if i completed the scan with Kaspersky + CCleaner? Or should i do more.
After scans password change.
But the biggest Problem is:
When i got infected i was eating and while i was eating there were Steam messages sent by me to my friends (i think the hack/scamm/malware did it) with a link to an .scr file :( after that everyone in my friendlist got blocked o.O what should i do now?
Cheers.
Hi Therkima,
Deletebest is to follow the steps as I described below:
http://bartblaze.blogspot.com/2014/11/malware-spreading-via-steam-chat.html#Remediation
To answer your specific questions: if Kaspersky found something, disinfect or remove it. Afterwards, do a scan with Malwarebytes for example.
After the scans you should indeed change your password.
Can you check in Steam under Friends > Blocked users? Are your friends there? Or did you get blocked from your friends' lists? If you cannot restore them from the friends tab, I would open a ticket with Valve.
Let me know should you have further questions. Cheers!
Hi,
DeleteAllright thank you!
I logged in on my ipad changed my password and unblocked my friends - after the password change i didn't log in at my computer -> do i need to change it again after the scans are completed?
Cheers.
Hi Therkima,
DeleteNormally that should not be needed, the exception being when malware was still detected. In that case, remove/disinfect the malware and change your password again for good measure.
"Better be safe than sorry."
Cheers!
thank you :)
ReplyDeletethe steam support didn't answer till now
ReplyDeleteHi Therkima,
DeleteI'm afraid the Steam support has tons of tickets to handle, even more so now with these SteamStealers. Best thing to do is wait until they send you a reply..
Cheers.
Hi,
ReplyDeleteI have a big Problem: The Steam Support deactivated my account because they think I stole other's accounts etc.
What should I do now?
I already wrote a reply where I explained that my Items were stolen and a message was sent by the Virus which was on my pc etc. . . .
I don't want to get banned or stuff like that for things I didn't do
Cheers.
Hi Therkima,
DeleteI suppose here you're not even able to log in to your account, correct?
Since you wrote a reply and provided proof, I'm sure Valve will unblock your account as soon as possible. Best thing to do is wait I'm afraid.
Cheers.
Hi,
DeleteI can log in to my account becaúse i changed the password etc. but they said that I stole other's steam accounts -.-'
Cheers
decompiled source http://rghost.ru/60323236
ReplyDeleteThank you, I will take a look.
DeleteHi Blaze,
ReplyDeletefell for "click on this link" because it looked like it came from a completely trusted friend.
Of course it infected my PC, and sent link to all my friends. (Sorry!)
Now, even logging in from a different PC, if you go to Steam IM and send a message, the bogus "click on this link" is still displayed.
I went through my profile, settings, etc, and can't find out how to delete. Again, since it shows up no matter where I log in from, I guess it's on Steam's server? (Not in my PC or browser object or whatever.)
Any idea how to get rid of it, or does Steam Support have to do that?
Thank you.
Hi Anonymous,
Deletein case your machine is still infected, follow the steps here to ensure the malware is gone:
http://bartblaze.blogspot.com/2014/11/malware-spreading-via-steam-chat.html#Remediation
In regards to your question, this is in all your chat messages with your friends that you're still seeing this link? Can you post a screenshot to clarify?
Cheers!
Hi Bart, thank you--
ReplyDeleteI have logged in from a different machine: downloaded new Steam client (Steam was not installed on this machine, which is Win 8.1), used SteamGuard code to log in, but, malware link still shows in Steam IM window.
Screen shot: really!
http://i.imgur.com/kqMJiT3.jpg
So, in summary: PC that got infected was cleaned--
Logging in from NEW security protected Win8.1 machine: malware link still shows up in IM message window.
Should not be anything in this machine's registry, web browser history, etc, to allow that to happen--which makes me think a string that I can't access got overwritten or added on the Steam server?
Thank you again!!!!!
Hi Anonymous,
Deletegreat to hear your machine is already cleaned!
As in regards to the chat history: I had a feeling this was the case. As far as I know Steam, doesn't store chat history locally.
However, a workaround for this would be to type a NEW message to your friend(s), then exit Steam and start it again. Now the malicious link will be gone in your Steam chat history :)
Cheers!
Thank you,
ReplyDeleteI tried the send message and restart, it's still there:
http://i.imgur.com/39R5MA0.jpg
Hi,
ReplyDeleteI typed a new message, exited steam, rebooted, and: it is still there.
http://i.imgur.com/bNfNB7h.jpg
It looks to me like the malware somehow changed a string affecting my account on Steam's server?
*Machine that got infection is currently deauthorized, steam uninstalled from that machine
*Current machine Win 8.1, new download of Steam client today, the two machines are not authorized to log in to each other. (They are both attached to an Asus RT N66U router, hard wired with Ethernet cables, router running most current Merlin firmware/AsusWRT; router is password protected, username is not "admin", password is good. Very vanilla conservative settings, just looked at log for router, nothing I see that is unusual.)
Unless I am really missing something (happens a lot), it looks like the string of text is coming from Steam's server, not locally.
Hi Anonymous,
Deletereally strange that after typing a new message, exiting and restarting Steam that one is still there...
I highly doubt it's coming from Steam's server though. Have you already submitted a ticket to Valve?
Do you by any chance still have a copy of the malware lying around? Haven't seen the behavior yet you are mentioning, so I'd like to take a look.
Cheers.
Hi Bart,
DeleteI did submit a ticket to Valve regarding the strange text string--and, that text string in the IM window is gone this morning. (I still don't know where it was coming from--)
I tried to look for that infected file, in Quarantine or somewhere on the hard drive, couldn't find it, AV wiped it out and deleted it. Sorry.
Bart, thank you so much for your help! And for your blog--I really appreciate it!
Jim
Hi Jim,
Deletemight have been our workaround that came through. No worries about the infected file, there are still many out there unfortunately.
The pleasure was all mine, happy gaming!
Cheers.
I got the message Hello. I want to trade with you this item http://create-screen.com/screen_30176.png
ReplyDeleteHi Anonymous,
DeleteI can confirm that's a malicious link. If you executed the file, follow the steps here: http://bartblaze.blogspot.com/2014/11/malware-spreading-via-steam-chat.html#Remediation
Thanks for your report! Cheers.
I received this link, looks like it is another malicious site http://picscreenshots.com/Screenshot_031.png/
ReplyDeleteThanks for your report!
DeleteHi Bart! I got a .png link and put the link into my browser and it downloaded a file. I quickly deleted the file, and didn't open it. Am I compromised?
ReplyDeleteThanks,
Luke
Hi Luke,
DeleteIf you didn't open the file but deleted it instead (like you did), you are NOT compromised.
Cheers!
Hi there mates i am here just to make sure. So i make trades in CS:GO lounge and have few trades set up. few ours back some guy in steam named air_d3mon invited me to friends, i accepted i thought he wanted to trade with me. then i got this message: hi i wanna trade with you. here is my offer ( screenshot link ). stupid me pressed it and in my google chrome some file started to download. then my anti virus ( g data total protection) alerted me that this is trojan infected file so i deleted it as fast as i could. then i started to scan all my computer also downloaded malwarebytes free version and did full scan but they didnt find anything. So my steam is safe? other accounts? my pc? do i need to take other actions? i just downloaded the file though didnt opened it. and also i checked the url of that file at google chrome download section and it said googleusercontent ( hope it helps someone). sorry for long post but it really scared me :D. thanks
ReplyDelete