Attention, Attention:
There's currently a large bot account stealing fraud going on. If you ever receive a message saying that someone wants to trade with you and the "person" sends you a link to a .scr-file (Screensaver file) that, allegedly, contains a picture of the trade offer, do not fall for it. Instead, report the profile on Steam.
Once you run the file, it replaces your steam.exe with a fake one. You can recognize it by the changed preview thumbnail. Steam closes instantly and opens again with the fake one, showing the login prompt.
A short analysis by a tech specialist has delivered the result that the program is an info stealer. It sends the information that has been put into the fake steam client to multiple IP addresses, including: 188.120.255.114
It also analyzes cookies stored on the computer for account information and sends these to multiple IPs as well. A first analysis has deemed it acceptable to just delete the program that has been created through the virus, to clean the computer. It does not act as a backdoor, nor does it manipulate the registry. Furthermore you should search the computer for normal and hidden files that have been modified and/or created on the time you executed the file, and delete these if they could be connected to the malware. For example, it also creates a file in the Windows prefetch folder to ensure that it starts along with Windows.
However, all passwords on all websites should be changed as a security measure since - in case the program has not been blocked by a firewall - it is highly possible that account information has been sent to the criminals.
Keep in mind that this is just the information we have gained through a quick analysis. There is no guarantee for a completely safe OS. A wipe and a new installation may be considered.
Also, I do not know if this has been reported before, so, forgive me if you already know about this. A few colleagues of mine have had incidents like these quite some times in the past weeks and I don't want anyone to run into this trouble.
Account Stealing Fraud - Trading Offer in Screensaver file
There's currently a large bot account stealing fraud going on. If you ever receive a message saying that someone wants to trade with you and the "person" sends you a link to a .scr-file (Screensaver file) that, allegedly, contains a picture of the trade offer, do not fall for it. Instead, report the profile on Steam.
Once you run the file, it replaces your steam.exe with a fake one. You can recognize it by the changed preview thumbnail. Steam closes instantly and opens again with the fake one, showing the login prompt.
A short analysis by a tech specialist has delivered the result that the program is an info stealer. It sends the information that has been put into the fake steam client to multiple IP addresses, including: 188.120.255.114
It also analyzes cookies stored on the computer for account information and sends these to multiple IPs as well. A first analysis has deemed it acceptable to just delete the program that has been created through the virus, to clean the computer. It does not act as a backdoor, nor does it manipulate the registry. Furthermore you should search the computer for normal and hidden files that have been modified and/or created on the time you executed the file, and delete these if they could be connected to the malware. For example, it also creates a file in the Windows prefetch folder to ensure that it starts along with Windows.
However, all passwords on all websites should be changed as a security measure since - in case the program has not been blocked by a firewall - it is highly possible that account information has been sent to the criminals.
Keep in mind that this is just the information we have gained through a quick analysis. There is no guarantee for a completely safe OS. A wipe and a new installation may be considered.
Also, I do not know if this has been reported before, so, forgive me if you already know about this. A few colleagues of mine have had incidents like these quite some times in the past weeks and I don't want anyone to run into this trouble.
0 commentaires:
Enregistrer un commentaire