We ran into another new piece of malware using the "H1N1" swine flu as a lure.This one is a shortcut file. And it's not a Windows EXE executable that has been renamed to .LNK, it is an actual link file.Here's what the file looks like (md5: d17e956522f83995654666c0f2343797).Looking at the file from command prompt, it looks like a harmless shortcut, 1987 bytes in size.But when you view the contents, you see something suspicious:Let's have a look at the properties of the shortcut:It's linking to %ComSpec%? Doesn't sound too good. Let's copy and paste where this shortcut is linking to:That doesn't make much sense.Let's try break that into smaller pieces to see what it's doing:As an end result, clicking on this shortcut will cause your machine to do the following things: • Connect to an ftp site called www.g03z.com • Log in with username aa33 and password bb33 • Download a script called p.vbs • Run the scriptSo who owns g03z.com? Well, it's Mr. Zzzzggg:The domain is still up, but the file p.vbs is currently missing from the server, so right now nothing happens.We detect and block this malicious shortcut.