Home / malware TrojanDownloader:Win32/Lnkget.M
First posted on 03 December 2009.
Source: SecurityHomeAliases :
TrojanDownloader:Win32/Lnkget.M is also known as Trojan-Downloader.Win32.Pif.sz (Kaspersky), Mal/DownLnk-B (Sophos).
Explanation :
TrojanDownloader:Win32/Lnkget.M is a detection for shortcuts which connect to an FTP server and download and execute arbitrary VBScript files. These downloaded files have in turn generally downloaded and executed game password stealing malware, such as variants of the Win32/Helpud family.
Top
TrojanDownloader:Win32/Lnkget.M is a detection for shortcuts which connect to an FTP server and download and execute arbitrary VBScript files. These downloaded files have in turn generally downloaded and executed game password stealing malware, such as variants of the Win32/Helpud family. The trojan could be distributed to affected users spammed through e-mail or instant messaging services. InstallationTrojanDownloader:Win32/Lnkget.M is a trojan wich is implemented as a shortcut file type. When the trojan runs it redirects to the %windir% folder and executes registered in the %comspec% system variable command shell. The command shell, normally cmd.exe, executes a batch set of commands piped to the shell as arguments within the shortcut, in order to download and execute a file from a remote site. Payload Downloads and executes arbitrary filesTo download a file from a remote site the trojan uses ftp.exe, a file transfer program client which is normally present on the system. The command line is obfuscated to minimize the trojan's exposure to the user. The trojan attempts to download and execute a file from the g03z.com domain. The downloaded file is stored in the %windir% folder as T.VBs. Note that at the moment of writing the targeted site is unavailable. The trojan also drops "O", an FTP script, and "Y.bat", a command shell script file.
Analysis by Oleg PetrovskyLast update 03 December 2009