Be cautious of any URL shortener or else you could be downloading malware from friends and strangers on Steam.
Malware researchers are warning all Steam users to be aware of a .SCR (screensaver) file that appears harmless but will actually steal items from Steam users’ inventories.
Security company Malwarebytes said once a computer is infected with the malware, the victim’s session ID on Steam and inventory are at risk. In addition, the virus sends further messages to the victim’s friends list. The message includes a link to what appears to be a photo. The URL is shortened through bit.ly, with IMG at the start of the full URL and a .SCR extension.
Christopher Boyd of Malwarebytes said, “Just because the name of the file says ‘IMG’ at the start doesn’t mean it’s actually an image file. The extension in these cases is the giveaway, and users of Steam should ensure they’re not being set up for a harsh lesson in digital shenanigans.”
Earlier in the week, Steam users wrote about the malware in the community forums.
Bart Blaze, a malware researcher at Panda Security, looked into the matter further. The link leads to a file on Google Drive and immediately downloads the .SCR file, a screensaver file, with a picture of a woman as the icon.
“Note that normally, the Google Drive Viewer application will be shown and this will allow you to download the .scr file,” Bart Blaze wrote. “In this case, the string ‘&confirm=no_antivirus’ is added to the link, which means the file will pop-up immediately asking what to do: Run or Save.”
If you have downloaded the malware, you should first exit Steam immediately and open Task Manager and locate temp.exe, wrrrrrrrrrrrr.exe, vv.exe, or “a process with a random name, for example 340943.exe.”
Scan your computer with the antivirus you use, and then scan again with a different one. After deleting the malware, change your Steam password and any other sites where you use the same password. You can also enable the visibility of file extensions.
As always be careful when clicking on shortened URLs, even when sent by a friend.
Source: Malwarebytes, Bartblaze
