Home / malware

PDF

Exploit:Win32/CplLnk.A

First posted on 13 April 2019.
Source: Microsoft

Aliases :

Exploit:Win32/CplLnk.A is also known as CVE-2010-2568, Worm/AutoRun.JV, Trojan.Agent.AQCL, LNK/Stuxnet.A, Trojan.Stuxnet.1, LNK/Autostart.A, Trojan-Dropper.Win32.Stuxnet.a, Stuxnet!lnk, Trj/Trecu.Lnk, W32/Stuxnet-B, W32.Stuxnet!lnk, LNK_STUXNET.A, Exploit.CplLnk.Gen.

Explanation :

Installation

Exploit:Win32/CplLnk.A is a generic detection for specially-crafted, malicious shortcut files that exploit the vulnerability also exploited by the Win32/Stuxnet family.

When you browse a folder that has the malicious shortcut using an application that displays shortcut icons, the malware runs instead.

An example of an application that displays shortcut icons is Windows Explorer. No further user interaction is required, in most cases.

In the case of Win32/Stuxnet, Exploit:Win32/CplLnk.A points to the malware stored on a USB flash drive using the device descriptor, as in this pseudo-example:

\.StorageVolumeUSBStor{CLSID value}~WTR4141.tmp

Successful exploitation results in the malware running with the privileges of the logged-on user.

Additional Information

The vulnerability exploited by this threat was resolved with the release of Microsoft Security Bulletin MS10-046 and CVE-2010-2568.

Analysis by Peter Ferrie

Last update 13 April 2019

 

TOP