Microsoft LNK files [MS-SHLLINK] which are now turned into auto executable files by malware authors using its undocumented feature is a hot topic on most of the security forums.
We have received specially crafted LNK files along with Portable executable files having the mentioned LNK file vulnerability. When user visits the folder containing these files, the target executable file gets loaded into Explorer process. This could be used to execute the payload.
This issue was initially reported by “VirusBlokAda” company specialists on the 17th of June, 2010. It is exploited by StuxNet malware using USB Storage as propagation vector. StuxNet also uses rootkit techniques to hide its LNK and TMP files.
After detailed investigation of these specially crafted LNK files we observed that, this is Microsoft Windows specific implementation for processing Control Panel shortcuts.
What is special about Control Panel shortcuts?
Control Panel items (CPI) are DLLs or executable (.exe) files that let users configure the environment of Windows. They are typically accessed by clicking an icon in the Control Panel. They export special function called CPlApplet.
For Control Panel shortcuts Explorer.exe loads CPI and then calls exported CPlApplet function, which is the key to turn LNK file into an auto executable.
Figure 1: Code snippet for CPI DLL
Figure 2: DebugView log
It is observed that even if the target file does not export CPlApplet function, DllMain function is executed.
Microsoft needs to take major decision on how to process shortcuts for CPIs, may be to load and execute only registered CPIs.
Quick Heal detects such malicious LNK files as PIF.StuxNet.A and Exploit.CVE-2010-2568.