Some online games offer features for the game players to sell their game items online. In such situations, it is highly likely some sellers may send the potential buyers a screenshot of their items for sale, for example, via Instant Messaging programs. 

Recently, malware distributors have started taking advantage of this. They pretend to be selling items and send a "screenshot" of their items for sale, when in fact, the "screenshot" file sent is a malicious executable file disguised as an image file. When executed, it does display a screenshot of some rare items (see below image); however, malware is silently dropped and executed in the background.

Imitation screenshot displayed by the malware
Figure 1 - Imitation screenshot displayed by the malware

This whole process may be user-initiated, and the user remains uncompromised until they open the "screenshot" file.

The disguised malware is detected as TrojanDropper:Win32/Fedripto.A. It can be configured to drop different malware components, and in the wild, the dropped file may be detected as Backdoor:Win32/Zegost.H – a remote control backdoor that is a prevalent threat in China.

Play it safe and scan files received from unknown sellers before opening - the items they are "selling" may simply be – malware! 

TrojanDropper:Win32/Fedripto.A SHA1: 84c1db933ea6159be27a642a03c2542e68f7adc9
Backdoor:Win32/Zegost.H SHA1: b79c07da4a9b55f065adc7af3aad23f84c08d91e

Chun Feng
MMPC Melbourne