Home / malware Backdoor:Win32/Caphaw.A!lnk
First posted on 20 December 2013.
Source: MicrosoftAliases :
There are no other names known for Backdoor:Win32/Caphaw.A!lnk.
Explanation :
Threat behavior
Installation
The shortcut is installed by the Win32/Caphaw family of backdoor trojans.
Payload
Creates malicious shortcuts
Backdoor:Win32/Caphaw.A!lnk is a shortcut link that tries to lure you into opening other malware. It does this by appearing to be a legitimate file or folder in the shared folders on your network.
For example, if the trojan finds the file WFprioritylist.xlsx, it hides that file so you cannot see it in Windows Explorer. It then creates a shortcut file with the name WFprioritylist.xlsx.lnk. As another example, if the trojan finds the folder PHASE_2_SCHEDULE, it will hide it and create a shortcut file with the name PHASE_2_SCHEDULE.lnk.
In this way, the torjan tries to trick you into clicking the shortcut, mistaking it for the original file or folder. The shortcut will launch malware at the same time as the original file or folder. We have seen it launch Backdoor:Win32/Caphaw.A.
Backdoor:Win32/Caphaw.A!lnk can also creat malicious shortcuts for any Microsoft Office documents on your network that have the following extensions:
- .DOC
- .DOCX
- .PPS
- .PPSX
- .PPT
- .PPTX
- .XLS
- .XLSX
Analysis by Steven Zhou
Symptoms
Alerts from your security software may be the only symptom.
Last update 20 December 2013
