My son started screaming few hours back, scaring us half to death. Apparently he reacted this way to what seemed like a virus infecting his computer, after he ignored all long standing advice from me and clicked on nasty link from another Steam user sent via chat.
Indeed this malware is very nasty – somehow it manages to bypass all Chrome guards and download + execute right away, without giving any option to avoid it. I immediately submitted the site to Google for blocking in Chrome. Then I proceeded to submit to Microsoft, since their silly Microsoft Security Essentials continued to insist that no malware/virus found.
Here’s link to analysis: img_012.scr (MD5: 6e7ccceb2685044d443474ce1efc7bbf)
So, the biggest question is What Does It Do? So far I only saw that it communicates with Steam client, managing to Spam a link to an infected site hosting this malware to ALL of one’s Steam Friends. From reading online, the malware also attempts to steal your Steam account credentials, presumably to steal you Digital Loot, like Game Objects and even complete “Giftable” game copies (if you have any). I couldn’t confirm this as we didn’t see any adverse impacts, but maybe it wasn’t able to fully work. Sadly, since no Antivirus properly detects it yet, it is very hard to tell if it’s fully cleaned. I saw it already submitted to Malware Bytes and they promise to analyze it ASAP – so I recommend you go there first and install that Excellent (and Free) scanner on your PC.
Here’s some more recommendations if it happens to you – immediately proceed to Steam Guard (in Steam client Settings) and make sure it’s active. Then double check that you don’t have any screen-saver installed (use Personalize and reset Screen Saver to None). Reboot after this – and then proceed to relaunch Steam and select “De-authorize All Computers” under Steam Guard. I would recommend changing password also – and another reboot. Disclaimer: This is new attack so I am not sure this wipes it out. I’ll update this post as I learn more info about this nasty critter.
Since this attack is specifically tailored to attack Steam, the image sandbox PCs virus companies use as honeypot may not be able to fully realize it’s attack as their image would not have Steam client installed and configured.
To be extra safe, we are also going to re-install Steam client – I would recommend that as well, as I was seeing some steam files being updated after this attack, but it may have just been a coincidence also. Since you can have Steam libraries, you can even fully re-install Steam client without having to re-download the games. Ping me in comments if you need further instructions for this – and Good Luck!