Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
USB Malware
Message
<blockquote data-quote="struppigel" data-source="post: 922115" data-attributes="member: 86910"><p>The shortcut files of USB worms usually run a hidden worm executable in the same location as well as open the original file. If you point a shortcut to cmd.exe or powershell.exe, you can run any command in it.</p><p></p><p>E.g. Spora shortcut files will point to cmd.exe using the following arguments:</p><p></p><p>[CODE]/c explorer.exe "<originalfile>" & type "<worm>" > "%%tmp%%\<worm>" & start "<originalfile>" "%%tmp%%\<worm>"[/CODE]</p><p></p><p>This command runs explorer on the original file of the user. That means there is no need to have any code for mimicing the folder, the original folder or file is actually opened as usual.</p><p>Furthermore this command will copy the worm executable from the removable drive to TEMP and run it, thus, infect the system the USB drive is currently attached to.</p><p></p><p>Similarly, if it is not a folder but some document that the shortcut mimics, the original file will be opened as usual.</p><p></p><p>Edit: Having dropper or downloader LNKs wouldn't be good from the point of view of the attacker. Droppers are too big in size and you will need as many of them as there are files on the drive. Downloaders require Internet connection whereas USB worms can spread to devices without Internet. So from an attacker's perspective they would limit their targets if they used a downloader.</p></blockquote><p></p>
[QUOTE="struppigel, post: 922115, member: 86910"] The shortcut files of USB worms usually run a hidden worm executable in the same location as well as open the original file. If you point a shortcut to cmd.exe or powershell.exe, you can run any command in it. E.g. Spora shortcut files will point to cmd.exe using the following arguments: [CODE]/c explorer.exe "<originalfile>" & type "<worm>" > "%%tmp%%\<worm>" & start "<originalfile>" "%%tmp%%\<worm>"[/CODE] This command runs explorer on the original file of the user. That means there is no need to have any code for mimicing the folder, the original folder or file is actually opened as usual. Furthermore this command will copy the worm executable from the removable drive to TEMP and run it, thus, infect the system the USB drive is currently attached to. Similarly, if it is not a folder but some document that the shortcut mimics, the original file will be opened as usual. Edit: Having dropper or downloader LNKs wouldn't be good from the point of view of the attacker. Droppers are too big in size and you will need as many of them as there are files on the drive. Downloaders require Internet connection whereas USB worms can spread to devices without Internet. So from an attacker's perspective they would limit their targets if they used a downloader. [/QUOTE]
Insert quotes…
Verification
Post reply
Top