.lnk file is the format of the Windows’ shortcuts. The vulnerability recently found in this format actually lies in the way Windows processes the Control Panel shortcuts. Normally, these shortcuts are processed as below:
Control Panel
Each Control Panel shortcut is linked to an executable file. For example, shortcut “Automatic Update” is linked to Windows’ update utility. Windows, specifically Windows Shell, will load a PE file with .cpl extension to get icon from its resource to display this shortcut’s icon. In this case, the PE file loaded is “C:\Windows\System32\wuaucpl.cpl”.
Taking advantage of Windows Shell’s loading PE file to display the shortcut’s icon, hacker is able to create a Control Panel shortcut file with a path to a malicious file. When Windows Shell performs the abovementioned steps to display shortcut’s icon, the malicious file will be loaded. The figure below describes the parsing process of crafted Control Panel shortcut to load malicious file:
The parsing process of crafted Control Panel shortcut
Below is the description of the Control Panel shortcut format which is used to exploit the vulnerability:
Crafted shortcut file format
So, to execute an arbitrary malicious file (in this case, it is DLL file), which may be located in a USB drive just like Autorun feature, hacker only needs to create the lnk format with the path in “fake cpl path file” linking to the malicious file.
We have developed this tool to detect all kinds of viruses exploiting .lnk vulnerability. Computer users can download and scan with the tool to check if their computers are infected with the viruses.
Detect .lnk shortcut file virus tool
Our monitoring system has detected some virus samples taking advantage of this vulnerability. Microsoft Windows .lnk vulnerability is a critical flaw. Many different kind of viruses would exploited the flaw to infect users’ computers. Meanwhile, no patch or workaround for the flaw has been released by Microsoft.
Thus, we would like to provide the tool to help users check if their computers are infected with viruses exploiting the .lnk vulnerability.
You can download “Detect .lnk shortcut file virus tool” here.
'IT 보안소식' 카테고리의 다른 글
| 마이크로소프트(MicroSoft), Lnk File 0-Day에 대한 자료들 (0) | 2010.07.28 |
|---|---|
| 알약(ALYac), 미투데이 SNS를 이용한 악성코드 유포 주의 (0) | 2010.07.22 |
| [SpamMail] "declined deposit report" 제목으로 전파 되는 메일 주의!! (0) | 2010.07.19 |
| 변조 된 imm32.dll파일에 추가된 "rs64 New Section" (0) | 2010.07.19 |
| 알약(ALYac), 윈도우 쉘(Shell) 취약점으로 인한 원격코드 실행 문제점 (0) | 2010.07.19 |
댓글