NEWS FROM THE LAB - Monday, July 27, 2009

H1N1 Shortcut Malware Posted by Mikko @ 11:35 GMT

We ran into another new piece of malware using the "H1N1" swine flu as a lure.

This one is a shortcut file. And it's not a Windows EXE executable that has been renamed to .LNK, it is an actual link file.

Here's what the file looks like (md5: d17e956522f83995654666c0f2343797).


Looking at the file from command prompt, it looks like a harmless shortcut, 1987 bytes in size.


But when you view the contents, you see something suspicious:


Let's have a look at the properties of the shortcut:


It's linking to %ComSpec%? Doesn't sound too good. Let's copy and paste where this shortcut is linking to:


That doesn't make much sense.

Let's try break that into smaller pieces to see what it's doing:

LNK shortcut malware code

As an end result, clicking on this shortcut will cause your machine to do the following things:

  •  Connect to an ftp site called www.g03z.com
  •  Log in with username aa33 and password bb33
  •  Download a script called p.vbs
  •  Run the script

So who owns g03z.com? Well, it's Mr. Zzzzggg:


The domain is still up, but the file p.vbs is currently missing from the server, so right now nothing happens.

We detect and block this malicious shortcut.