The process of scanning .lnk files for icons to display results in execution of code that is embedded in the specially crafted .lnk file. Some developer at MS responsible for that icon-fetching code (if still employed there) is likely not having a good week.
That's why this is such a serious malware, simply viewing the folder in Explorer will infect. The only mitigating factor is, direct folder access to the .lnk file is needed. An E-mail attachment would have to be saved and then the containing folder viewed. A web site would have to coerce a user to save it locally and then open the folder. But as with the autorun problem, a picture frame or pre-loaded flash drive with one of these .lnk files could make a lot of trouble. Carl -----Original Message----- From: Mike Gill [mailto:[email protected]] Sent: Monday, July 19, 2010 6:18 PM To: NT System Admin Issues Subject: RE: Signed malware on folder view using shortcut LNK files Windows 7 doesn't support autorun on flash drives. When he gets to the part where he's not running AV, he doesn't indicate that he's actually clicking on anything, yet the malware runs. He sort of implies that it's happening automatically when he mentions the video is slowed to allow us to view what happens. How is the malware getting executed? -- Mike Gill -----Original Message----- From: James Hill [mailto:[email protected]] Sent: Sunday, July 18, 2010 5:43 PM To: NT System Admin Issues Subject: RE: Signed malware on folder view using shortcut LNK files It really is a nasty one. It doesn't need admin privs either. Until Microsoft patch it if your AV doesn't catch it you're pretty much screwed. Disabling shortcuts is obviously not an option for most. Nice vid of it in action http://www.youtube.com/watch?v=1UxN7WJFTVg&feature=player_embedded Interesting timing considering XP SP2 is now unsupported. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
