Home / malware Worm:JS/Morph.A!lnk
First posted on 07 June 2012.
Source: MicrosoftAliases :
Worm:JS/Morph.A!lnk is also known as Morph.A (Norman), Worm.JS.Morph (Ikarus), Mal/WormLnk-A (Sophos), LNK_MORPHE.SMI (Trend Micro).
Explanation :
Worm:JS/Morph.A!lnk is the detection for shortcut files created by Worm:JS/Morph.A.
Worm:JS/Morph.A attempts to spread itself across all accessible drives, including removable drives and network shares, as the following file:
<drive letter>%\M0rPheS.tpl
It creates the following shortcut files. If these shortcut files are run, they execute Worm:JS/Morph.A:
- <drive Letter>\<folder name>.lnk
- <start menu>\<folder name>.lnk
- <start menu>\Program\<folder name>.lnk
- <start menu>\ Programas\ <folder name> .lnk
- %UserProfile%\Desktop\<folder name>.lnk
- %UserProfile%\Start Menu\<folder name>.lnk
- %UserProfile%\My Documents\<folder name>.lnk
where <folder name> is the name of any folder within the parent folder. It then marks the original folder as hidden, to mislead the user into thinking that the sohrtcut file is actually the folder.
For example, if the folder "F:\Folder001" exists, Worm:JS/Morph.A may create a shortcut file as "F:\Folder001.lnk", then hide the "F:\Folder001" folder.
Analysis by Wei Li
Last update 07 June 2012