Windows will, by default, attempt to display the resource icon - which causes the LNK to get loaded and the vector to spread.
If you open Windows Explorer as an FTP client or as a webdav client - this can happen. I believe Internet Explorer doesn't do this (but I didn't test). Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Ken Schaefer [mailto:[email protected]] Sent: Tuesday, July 20, 2010 9:34 AM To: NT System Admin Issues Subject: RE: Signed malware on folder view using shortcut LNK files Isn't the issue that Windows automatically loads the lnk file? (e.g. off a USB thumb drive?) Just connecting to an FTP site using an FTP program isn't going to do anything. If there's an .lnk file there, and you download it, and then you double-click on it, then "yes" you might infect yourself. Cheers Ken From: Steven M. Caesare [mailto:[email protected]] Sent: Tuesday, 20 July 2010 9:18 PM To: NT System Admin Issues Subject: RE: Signed malware on folder view using shortcut LNK files .lnk is the infection vector for the local system. Any file copy methodology merely facilitates this infection vector, so yes to all of the above. In addition: Local HDD's File shares USB drives Wes site Trojan droppers USB MASS storage consumer devices (digital cameras, MP3 players, etc... anything that can be mounted) Malware infected legit S/W installers Floppy in discs Email IM file xfers Contents of infected .zip files Removable optical media Etc... -sc From: James Rankin [mailto:[email protected]] Sent: Tuesday, July 20, 2010 8:13 AM To: NT System Admin Issues Subject: Re: Signed malware on folder view using shortcut LNK files Am I right in thinking FTP sites, torrent sites and maybe even download sites like RapidShare are vulnerable to this .lnk file problem? On 20 July 2010 00:37, Carl Houseman <[email protected]<mailto:[email protected]>> wrote: The process of scanning .lnk files for icons to display results in execution of code that is embedded in the specially crafted .lnk file. Some developer at MS responsible for that icon-fetching code (if still employed there) is likely not having a good week. That's why this is such a serious malware, simply viewing the folder in Explorer will infect. The only mitigating factor is, direct folder access to the .lnk file is needed. An E-mail attachment would have to be saved and then the containing folder viewed. A web site would have to coerce a user to save it locally and then open the folder. But as with the autorun problem, a picture frame or pre-loaded flash drive with one of these .lnk files could make a lot of trouble. Carl -----Original Message----- From: Mike Gill [mailto:[email protected]<mailto:[email protected]>] Sent: Monday, July 19, 2010 6:18 PM To: NT System Admin Issues Subject: RE: Signed malware on folder view using shortcut LNK files Windows 7 doesn't support autorun on flash drives. When he gets to the part where he's not running AV, he doesn't indicate that he's actually clicking on anything, yet the malware runs. He sort of implies that it's happening automatically when he mentions the video is slowed to allow us to view what happens. How is the malware getting executed? -- Mike Gill -----Original Message----- From: James Hill [mailto:[email protected]<mailto:[email protected]>] Sent: Sunday, July 18, 2010 5:43 PM To: NT System Admin Issues Subject: RE: Signed malware on folder view using shortcut LNK files It really is a nasty one. It doesn't need admin privs either. Until Microsoft patch it if your AV doesn't catch it you're pretty much screwed. Disabling shortcuts is obviously not an option for most. Nice vid of it in action http://www.youtube.com/watch?v=1UxN7WJFTVg&feature=player_embedded Interesting timing considering XP SP2 is now unsupported. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
