LNK Files – Shortcuts to Faster Infections

These shortcut files are actually called Shell link files. Microsoft filename extension: “.LNK”

Let’s dig a little deeper and check the typical properties of an example LNK file. Just right click on the shortcut and then select “Properties. There are now several options which can be changed. In this case we will focus on the “Target” field which contains the path to the application or folder.

“C:\Program Files (x86)\Avira\Avira Antivirus\avcenter.exe”

Looks easy, right? When you click on the shortcut it performs the command specified here. In this case our trusted Avira Antivirus is being launched. This is actually what you can expect and want when clicking on a shortcut.

Unfortunately these shortcut files also have drawbacks since you don’t know exactly what hides behind them without explicitly looking. At Avira we are currently seeing a trend that more and more malware threats are using this kind of propagation method. You can follow this and more trends by visiting our Avira Threats Landscape.

Malware authors are starting to use this method because nowadays most novice users might know that clicking on a suspicious executable file might be dangerous for their systems. But clicking on a shortcut is normally not associated with bad behavior.

I like to show you how malware is actually misusing the usually helpful LNK files by giving an example of an actual in-the-wild malware detection named: VBS/LNK.Jenxsus.Gen

This variant uses LNK files to spread an infection via removable drives. The trick is very simple since it actually creates shortcuts to your files and folders stored on the USB stick and then hides the originals from you.

Let’s see what a folder structure looks like once the USB drive is infected.

Folder View of an infected USB drive:
Folder View of an infected USB drive

Nothing unusual here at first glance, right? Except maybe that the icons have all a small arrow in the bottom left corner which indicates that they are actual shortcut files. But you can still access all your files and folders when clicking on them.

We will now take a closer look at what actually is hidden behind the shortcut files by telling the Windows Explorer that we want to see all “Hidden system files”

Directory view with “Hidden System files” shown.
Directory view with “Hidden System files” shown.

When we focus on the “avira-logo” you can see there are actually two files there. One is the LNK file and the highlighted one is the actual “hidden” jpg image file.

This means when you click on a trusted file on the USB drive you are actually clicking on the shortcut which will execute the following command stored inside the LNK target instead of just opening the image.

C:\WINDOWS\system32\cmd.exe /c start dlbfbiicvg.vbs&start avira-logo.jpg&exit

Target path of an infected LNK file.

What this command does is silently execute the malicious “dlbfbiicvg.vbs” via cmd.exe and then use the “start avira-logo.jpg” to open the file you clicked on to avoid any suspicion.

Additionally the malware also adds Run-Key entries to the Registry to infect other USB drives if they are plugged into the system.  This makes also sure that the malware gets executed with each system boot.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] dlbfbiicvg”=”wscript.exe //B \”C:\\DOCUME~1\\USERNAME\\LOCALS~1\\Temp\\dlbfbiicvg.vbs\””

Example of a malicious Run-Key added by the malware.

The filename and the Registry value of the Run-Key are always randomly generated by the malware on an infected system.

At last the malware can also deploy a backdoor on your computer to send out information about the operating system, sites you visited and so on.

USB drives are still popular because there are very convenient way to transfer large files from one location to another especially if you have limited internet bandwidth available.

So if you want to share some data with a family member or friend, be very careful when you plug-in your USB drive into an unprotected computer. Your USB drive might get infected or vice versa you could spread the infection from your USB drive to his computer.

Of course nobody has the time to check every shortcut this closely before clicking on it.

One easy solution is to use our Avira product which automatically scans for malicious content and will protect you from this kind of malware threat.

This post is also available in: German

Virus Analyst @Avira