We mentioned rogue .scr files being passed around the Steam network (specifically, in chat) in September, and they seem to be making a bit of a comeback.

We’ve noticed a number of posts on both Steam forums [1], [2], [3], [4] and elsewhere talking about messages sending potential victims to bit.ly URLs. Typically, the scammers are sending fake Steam Marketplace trade offers, and the supposed “picture” of whatever virtual item they’re offering up is actually an .scr file which will run should the victim double click and execute it.

Infection file

The Bit.ly URL displayed in the Tumblr post linked above currently has 2,000+ clicks – and that’s just one random example.

There’s sure to be a lot more clicking going on elsewhere. Users of Malwarebytes Anti-Malware will find we detect the file offered up as Trojan.Inject (VirusTotal 33 / 54, Malwr analysis).

A search for .scr files on the Steam Community forums reveals quite a lot of fresh “I opened this .scr file and now I’m having a bad hair day” posts in the last few days, so please ensure you avoid any and all links sent via Steam chat which lead to .scr files.

Just because the name of the file says “IMG” at the start doesn’t mean it’s actually an image file. The extension in these cases is the giveaway, and users of Steam should ensure they’re not being set up for a harsh lesson in digital shenanigans.

Christopher Boyd