<<< NEWS FROM THE LAB - Monday, July 27, 2009 >>> ARCHIVES | SEARCH H1N1 Shortcut Malware Posted by Mikko @ 11:35 GMT We ran into another new piece of malware using the "H1N1" swine flu as a lure.



This one is a shortcut file. And it's not a Windows EXE executable that has been renamed to .LNK, it is an actual link file.



Here's what the file looks like (md5: d17e956522f83995654666c0f2343797).







Looking at the file from command prompt, it looks like a harmless shortcut, 1987 bytes in size.







But when you view the contents, you see something suspicious:







Let's have a look at the properties of the shortcut:







It's linking to %ComSpec%? Doesn't sound too good. Let's copy and paste where this shortcut is linking to:







That doesn't make much sense.



Let's try break that into smaller pieces to see what it's doing:







As an end result, clicking on this shortcut will cause your machine to do the following things:



• Connect to an ftp site called www.g03z.com

• Log in with username aa33 and password bb33

• Download a script called p.vbs

• Run the script



So who owns g03z.com? Well, it's Mr. Zzzzggg:







The domain is still up, but the file p.vbs is currently missing from the server, so right now nothing happens.



We detect and block this malicious shortcut.









