.lnk is the infection vector for the local system. Any file copy methodology merely facilitates this infection vector, so yes to all of the above. In addition:
Local HDD's File shares USB drives Wes site Trojan droppers USB MASS storage consumer devices (digital cameras, MP3 players, etc... anything that can be mounted) Malware infected legit S/W installers Floppy in discs Email IM file xfers Contents of infected .zip files Removable optical media Etc... -sc From: James Rankin [mailto:[email protected]] Sent: Tuesday, July 20, 2010 8:13 AM To: NT System Admin Issues Subject: Re: Signed malware on folder view using shortcut LNK files Am I right in thinking FTP sites, torrent sites and maybe even download sites like RapidShare are vulnerable to this .lnk file problem? On 20 July 2010 00:37, Carl Houseman <[email protected]> wrote: The process of scanning .lnk files for icons to display results in execution of code that is embedded in the specially crafted .lnk file. Some developer at MS responsible for that icon-fetching code (if still employed there) is likely not having a good week. That's why this is such a serious malware, simply viewing the folder in Explorer will infect. The only mitigating factor is, direct folder access to the .lnk file is needed. An E-mail attachment would have to be saved and then the containing folder viewed. A web site would have to coerce a user to save it locally and then open the folder. But as with the autorun problem, a picture frame or pre-loaded flash drive with one of these .lnk files could make a lot of trouble. Carl -----Original Message----- From: Mike Gill [mailto:[email protected]] Sent: Monday, July 19, 2010 6:18 PM To: NT System Admin Issues Subject: RE: Signed malware on folder view using shortcut LNK files Windows 7 doesn't support autorun on flash drives. When he gets to the part where he's not running AV, he doesn't indicate that he's actually clicking on anything, yet the malware runs. He sort of implies that it's happening automatically when he mentions the video is slowed to allow us to view what happens. How is the malware getting executed? -- Mike Gill -----Original Message----- From: James Hill [mailto:[email protected]] Sent: Sunday, July 18, 2010 5:43 PM To: NT System Admin Issues Subject: RE: Signed malware on folder view using shortcut LNK files It really is a nasty one. It doesn't need admin privs either. Until Microsoft patch it if your AV doesn't catch it you're pretty much screwed. Disabling shortcuts is obviously not an option for most. Nice vid of it in action http://www.youtube.com/watch?v=1UxN7WJFTVg&feature=player_embedded Interesting timing considering XP SP2 is now unsupported. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
