Home / malware Infostealer.Steamfishi
First posted on 11 February 2015.
Source: SymantecAliases :
There are no other names known for Infostealer.Steamfishi.
Explanation :
The Trojan may be downloaded from the following remote location: steamccommynity.com
When the Trojan is executed, it ends the following process:Steam.exe
The Trojan then searches for the following files and folders in the directory that stores the application for the gaming service Steam: [PATH TO STEAM FOLDER]\ssfn*[PATH TO STEAM FOLDER]\config\loginusers.vdf[PATH TO STEAM FOLDER]\config\SteamAppData.vdf[PATH TO STEAM FOLDER]\config\config.vdf
Next, the Trojan uploads these files to the following remote location: [http://]files.sellexpo.net/upload[REMOVED]
The Trojan then downloads a file from the following remote location: [http://]sft.xquad.info/core/crosCssRandm898kljlUIDG8[REMOVED]
Next, the Trojan deletes the legitimate Steam launcher and replaces it with the downloaded file under the following file name: [PATH TO STEAM FOLDER]\Steam.exe
When executed, the downloaded Steam.exe displays a fake Steam login web page.
If the user inputs a user name and password and logs in, the Trojan uploads these credentials to the following remote location: [http://]files.sellexpo.net/upload[REMOVED]
The Trojan then displays a fake error dialog displaying the following message: Steam ErrorLast update 11 February 2015
