Shortcut Scanner

[Exterminator]

Basically, this application works as a regular Antivirus Scanner: it will scan available attached storage Medias (Fixed Hard Drives and Removable Hard Drives) and lists all existing shortcuts.
For each and every shortcut our application will determine whether or not the shortcut is:

• Broken
• Suspicious
• Dangerous

A shortcut is considered 'Broken' if the target application or target folder points to a non-existing location. A broken shortcut is not something we could consider harmful but worth to be removed since the shortcut itself become useless.

A shortcut is considered 'Suspicious' when it contain arguments.

Most shortcut with arguments could be completely legit, but you should consider taking a look and validate whether or not the shortcut is not calling suspicious applications or parameters. Be careful then when removing them after the scan.

Finally a shortcut is considered 'Dangerous' when multiple flags are triggered.

• If the target application points to a command prompt (Terminal, PowerShell, Ubuntu Bash)
• If it contains dangerous keywords often used to create malicious shortcuts
• An argument overflow, which means that the shortcut command line is more than the Microsoft Windows limitation of 260 characters (MAX PATH)
• Shortcut file size is above 4KiB
• Contains arguments plus one of above flags

You should seriously consider removing shortcut flagged as dangerous. The more flags are triggered during the scan, the more dangerous the shortcut could be.

This method detected 100% of Malicious Shortcuts we used to test the application. It also was totally effective against recent malware and phishing campaigns.

(!) In a possible future version of this application we might add a pro-active protection to detect shortcuts when they are created and extracted from an archive. If you wish to see this feature added let us know, it will depend our workload and how many users this program will attract.

Download Phrozen Software™ - Official Website

 

[WinXPert]

Testing mode. Tnx

 

[_CyberGhosT_]

Testing mode. Tnx

Let us know what you think brother. good luck.

 

[509322]

Finally a shortcut is considered 'Dangerous' when multiple flags are triggered.

• If the target application points to a command prompt (Terminal, PowerShell, Ubuntu Bash)
• If it contains dangerous keywords often used to create malicious shortcuts
• An argument overflow, which means that the shortcut command line is more than the Microsoft Windows limitation of 260 characters (MAX PATH)
• Shortcut file size is above 4KiB
• Contains arguments plus one of above flags

There is actually a need for such a product. Malicious *.lnk (shortcut) files can be used to bypass security software in various ways.

 

[WinXPert]

Here are my observations:

Since this is not an antivirus, it only of use with clean and uninfected systems as far as deleting malicious shortcuts are concerned. Scanning an external drive on an infected system takes forever. There are instances that nothing happens when you do a drive or folder scan.

On the plus side, it can weed out broken links and detect malicious or dangerous links (mostly these are links that uses the CMD prompt to launch the malware as per my worm samples). It can also do a hex view of the content of the link.

Note that it flags some links as requiring attentions like my Sandboxie links.

Question? Do I need this? Personally, no. I have CCleaner for fixing broken links, my AV is good enough to detect these malicious links, plus I know a malicious link when I see one.

 

[509322]

Here are my observations:

Since this is not an antivirus, it only of use with clean and uninfected systems as far as deleting malicious shortcuts are concerned. Scanning an external drive on an infected system takes forever. There are instances that nothing happens when you do a drive or folder scan.

On the plus side, it can weed out broken links and detect malicious or dangerous links (mostly these are links that uses the CMD prompt to launch the malware as per my worm samples). It can also do a hex view of the content of the link.

Note that it flags some links as requiring attentions like my Sandboxie links.

Question? Do I need this? Personally, no. I have CCleaner for fixing broken links, my AV is good enough to detect these malicious links, plus I know a malicious link when I see one.

It's a geek tool. I think anyone who opted to use it would do so on an on-demand basis once in a while to make a just-in-case check.

What AV parses a shortcut's Properties > Target for suspicious command lines before it is executed ? Some products will parse the interpreter command line after the shortcut is executed, but even then the typical command lines used in malicious shortcuts aren't going to generate alerts in most AVs. Although I'm fairly confident that Emsisoft's behavior blocker will generate an alert for "Hidden download." Also, I can't recall ever seeing an AV detect a shortcut as malicious.

 

[WinXPert]

It's a geek tool. I think anyone who opted to use it would do so on an on-demand basis once in a while to make a just-in-case check.

What AV parses a shortcut's Properties > Target for suspicious command lines before it is executed ? Some products will parse the interpreter command line after the shortcut is executed, but even then the typical command lines used in malicious shortcuts aren't going to generate any alerts. Also, I can't recall ever seeing an AV detect a shortcut as malicious.

360 TS does

 

[_CyberGhosT_]

Yes, from the developers of one of my favorite tools Winja

 

[509322]

360 TS does

Thanks @WinXPert

 

[WinXPert]

And so does, Panda, Avira, Avast, Smadav. Sorry, no screenshots.

I have saved one.

 

[509322]

And so does, Panda, Avira, Avast, Smadav. Sorry, no screenshots.

Thanks again @WinXPert

 

[JPLesueur]

Thanks for sharing my tools

I didn't want to do it by myself cause I'm not enough satisfied of this version and was waiting to push a version 2 later.

 

[509322]

Thanks for sharing my tools

Thanks for publishing them.

 

[Exterminator]

Thanks for sharing my tools

I didn't want to do it by myself cause I'm not enough satisfied of this version and was waiting to push a version 2 later.

It is a useful on demand tool for weeding out broken or suspicious shortcuts.
Added it to my toolkit as it is a nice maintenance tool
Looking forward to version 2!

 

[Parsh]

And so does, Panda, Avira, Avast, Smadav. Sorry, no screenshots.
I have saved one.

Thanks for the info!
And so does the famous MCShield. The only time it detected one for me was in case of a bootable rescue multitool USB. It was an FP though.

 

[WinXPert]

Thanks for the info!
And so does the famous MCShield. The only time it detected one for me was in case of a bootable rescue multitool USB. It was an FP though.

Yes McShield does, I didn't mentioned it because it's not an AV.