As far as I was aware, just displaying the icon of the .lnk file in your file browser of choice launches the code. No interaction is required besides this.
On 20 July 2010 14:33, Ken Schaefer <[email protected]> wrote: > Isn’t the issue that Windows automatically loads the lnk file? (e.g. off a > USB thumb drive?) > > > > Just connecting to an FTP site using an FTP program isn’t going to do > anything. If there’s an .lnk file there, and you download it, and then you > double-click on it, then “yes” you might infect yourself. > > > > Cheers > > Ken > > > > *From:* Steven M. Caesare [mailto:[email protected]] > *Sent:* Tuesday, 20 July 2010 9:18 PM > > *To:* NT System Admin Issues > *Subject:* RE: Signed malware on folder view using shortcut LNK files > > > > .lnk is the infection vector for the local system. Any file copy > methodology merely facilitates this infection vector, so yes to all of the > above. In addition: > > > > Local HDD’s > > File shares > > USB drives > > Wes site Trojan droppers > > USB MASS storage consumer devices (digital cameras, MP3 players, etc… > anything that can be mounted) > > Malware infected legit S/W installers > > Floppy in discs > > Email > > IM file xfers > > Contents of infected .zip files > > Removable optical media > > Etc… > > > > -sc > > > > > > > > *From:* James Rankin [mailto:[email protected]] > *Sent:* Tuesday, July 20, 2010 8:13 AM > *To:* NT System Admin Issues > *Subject:* Re: Signed malware on folder view using shortcut LNK files > > > > Am I right in thinking FTP sites, torrent sites and maybe even download > sites like RapidShare are vulnerable to this .lnk file problem? > > On 20 July 2010 00:37, Carl Houseman <[email protected]> wrote: > > The process of scanning .lnk files for icons to display results in > execution > of code that is embedded in the specially crafted .lnk file. Some > developer > at MS responsible for that icon-fetching code (if still employed there) is > likely not having a good week. > > That's why this is such a serious malware, simply viewing the folder in > Explorer will infect. The only mitigating factor is, direct folder access > to the .lnk file is needed. An E-mail attachment would have to be saved > and > then the containing folder viewed. A web site would have to coerce a user > to save it locally and then open the folder. But as with the autorun > problem, a picture frame or pre-loaded flash drive with one of these .lnk > files could make a lot of trouble. > > Carl > > > -----Original Message----- > From: Mike Gill [mailto:[email protected]] > Sent: Monday, July 19, 2010 6:18 PM > To: NT System Admin Issues > Subject: RE: Signed malware on folder view using shortcut LNK files > > Windows 7 doesn't support autorun on flash drives. When he gets to the part > where he's not running AV, he doesn't indicate that he's actually clicking > on anything, yet the malware runs. He sort of implies that it's happening > automatically when he mentions the video is slowed to allow us to view what > happens. How is the malware getting executed? > > -- > Mike Gill > > -----Original Message----- > From: James Hill [mailto:[email protected]] > Sent: Sunday, July 18, 2010 5:43 PM > To: NT System Admin Issues > Subject: RE: Signed malware on folder view using shortcut LNK files > > It really is a nasty one. It doesn't need admin privs either. Until > Microsoft patch it if your AV doesn't catch it you're pretty much screwed. > Disabling shortcuts is obviously not an option for most. > > Nice vid of it in action > http://www.youtube.com/watch?v=1UxN7WJFTVg&feature=player_embedded > > Interesting timing considering XP SP2 is now unsupported. > > > > > > > > > -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
