Author Topic: A virus that steals your items and money in Steam, not detected by Avast  (Read 12213 times)

0 Members and 1 Guest are viewing this topic.

Offline Shinigami

  • Newbie
  • *
  • Posts: 2
I'm not sure this is the right place for this kind of topic, so please direct me where this belongs if I am mistaken.

I am a victim of a fraud/hack/whatever you call it. Someone used my own PC to steal money from me (virtual items, total worth around $50).
How this happened: I received an invite to "check out an item", link downloaded a "screensaver" file (.scr). Info about the file I knew:
0. It had a trumbnail that looked like a picture.
1. Windows said its a Screensaver.
2. Avast scan said: "No threat detected" by Avast Free Antivirus.
3. It was 11:30 PM so I wasn't being too careful as I usually am.

So I just went and launched it. In mere seconds I receive a message all my money and all my items are gone.

Don't get me wrong, I'm not blaming Avast in this and not demanding compensation for your failed free anti-virus, which can't tell a script from a screensaver. This was entirely my fault not heeding to the warning of my intuition. Already contacted service provider's support to give me back my items.

The purpose of this topic is to prevent this happening to other people, if I can. Details:
I received a link, visiting this link gave me a downloaded .scr file. Screensaver format, if you ask Windows. No threat detected by Windows. Curious me as it has a trumbnail that looks like a picture. So I launch this file and it does the following:
1. Hacks into my Steam client (software e-shop client).
2. Buys something on "community market" for all my money on account (it had to be able to communicate with an outside source to find that "max money I can spend" and put an item for respective amount). I'm down to $0.01.
3. Cancels all of my Steam Market offers for certain item (selling offers) and trades them to a random person.
This is all done in mere seconds, without me seeing anything happen.

This situation is very bad for both Anti-virus software which does not detect .scr files as a threat (I read elsewhere that no antivirus detects them), and for Steam, which already knows about this problem (they posted a warning... deep into support forum where people go AFTER they're scammed). I'll solve things with Steam separately, I'm here to provide feedback on Avast, and make a suggestion on how to improve the protection. Its simple, really:
Avast should block all *.scr files from launching, unless user says they know where the file came from. Just warn me that this file is suspicious and it could be potential threat and I'll never open it. Even if it came with Windows. Or at least I won't open it outside of some sandbox environment.

Originally, I wanted to send this file for analysis (I know for sure this file is responsible for hacking), but I do not know how to do that (if you do, please do this for me). All I found is a link to Avast Community Forums. So I'm putting the file with my explanation here. Hopefully, it'll help Avast find such suspicious files and warn users about it. If you know how to send the file to Avast, please do so in my place.

How do I know this file is responsible? I launched it right before I got hacked. Hack happened from within my PC as I never got a warning that I am logged in elsewhere and never authenticated another PC (any new PC has to authenticate with mail) to launch Steam client. The only way to get access to my account under such conditions is to use my own PC, and this file is the only executable I know of that I did not launch for years prior to yesterday (most of my software is something I purchased years ago).

I'm posting the file in hopes Avast can analyze it and figure out how to detect similar type of scamming/hacking attempt and block it, as well as detect this kind of threat in files.

Be warned: if you use Steam, and accidentally launch this file, it'll steal your belongings!

File extension changed to *.txt (added .txt on top of .scr) to prevent accidentual launch.

Sorry for such a long explanation, just wanted to make it as clear as possible.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36992
Re: A virus that steals your items and money in Steam, not detected by Avast
« Reply #1 on: September 20, 2014, 04:35:50 PM »
how to recive help instructions   https://forum.avast.com/index.php?topic=53253.0

virustotal
https://www.virustotal.com/nb/file/30520ab9e38c238d3c1bb8a364fb30ea7356384400b017554e018fc3d7a6bb65/analysis/1411223807/



Quote
Originally, I wanted to send this file for analysis (I know for sure this file is responsible for hacking), but I do not know how to do that

You can upload files and report issues to avast  here : http://www.avast.com/contact-form.php  (select subject according to Your case)

You can use mail
send to virus@avast.com in a password protected zip file
mail subject:  False Positive / undetected sample (select subject according to your case)
zip password:  infected

or you can send files from avast chest
how to use the chest.    http://www.avast.com/faq.php?article=AVKB21

« Last Edit: September 20, 2014, 04:41:10 PM by Pondus »

Offline Shinigami

  • Newbie
  • *
  • Posts: 2
Re: A virus that steals your items and money in Steam, not detected by Avast
« Reply #2 on: September 20, 2014, 05:26:20 PM »
how to recive help instructions   https://forum.avast.com/index.php?topic=53253.0

virustotal
https://www.virustotal.com/nb/file/30520ab9e38c238d3c1bb8a364fb30ea7356384400b017554e018fc3d7a6bb65/analysis/1411223807/



Quote
Originally, I wanted to send this file for analysis (I know for sure this file is responsible for hacking), but I do not know how to do that

You can upload files and report issues to avast  here : http://www.avast.com/contact-form.php  (select subject according to Your case)

You can use mail
send to virus@avast.com in a password protected zip file
mail subject:  False Positive / undetected sample (select subject according to your case)
zip password:  infected

or you can send files from avast chest
how to use the chest.    http://www.avast.com/faq.php?article=AVKB21

Just found Virustotal page by digging elsewhere. Detected by Malwarebytes as a trojan, but is "fine" for any other AV out there.
Will send the file in a password-protected archive, as you instructed.
- update -
file sent to avast via provided email in a protected archive, password as instructed.

Thanks!
« Last Edit: September 20, 2014, 05:31:14 PM by Shinigami »

Offline MainilanLaukaus

  • Jr. Member
  • **
  • Posts: 27
Re: A virus that steals your items and money in Steam, not detected by Avast
« Reply #3 on: September 21, 2014, 01:05:41 AM »
How do I know this file is responsible?

that sounds familiar, i read about that couple days ago in Malwarebytes Blog.

Steam Threats: What They Are and What You Can Do to Protect Your Account
https://blog.malwarebytes.org/online-security/2014/09/steam-threats-what-they-are-and-what-you-can-do-to-protect-your-account/