Content

Exploit-CVE2010-2568

Type
Trojan
SubType
Exploit
Discovery Date
07/21/2010
Length
Varies
Minimum DAT
6050 (07/21/2010)
Updated DAT
6575 (12/30/2011)
Minimum Engine
5.4.00
Description Added
07/21/2010
Description Modified
11/21/2011 4:58 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

------ Updated on July-08-2011 -------

"Exploit-CVE2010-2568" is a generic detection for specially-crafted, malicious shortcut files that exploit the vulnerability in windows shell.

This vulnerability is exploitable when any Windows application that displays shortcut icons, such as Windows Explorer, browses to a folder containing a malicious shortcut. The exploit can be triggered without any user interaction, regardless where the shortcut file is located.

The shortcut (.lnk) file points to the malware (setup1092.fon) stored on a USB device using the device descriptor, as shown in below example:

\\ IFLMUD5IM0425\ FCRJBat\ setup1092.fon

When a user browses a folder that contains the malicious LNK file, then the malware (setup1092.fon) gets executed immediately without any user interaction.

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.

----------

This is a heuristic detection for exploits that targets a specific vulnerability in the Microsoft Windows Shell as described in CVE-2010-2568.

At the time of research, known malware has been discovered to be exploiting this vulnerability in the wild, which allows arbitrary code execution via a maliciously crafted .lnk file. They have been noted to spread via removable USB drives, and potentially could be used over shared folders, WebDAV or other similar means.

Please look here for more details on CVE-2010-2568 and the vendor's advisory:

  • http://www.microsoft.com/technet/security/advisory/2286198.mspx

The current Stinger also provides detection for .lnk files exploiting the CVE-2010-2568 vulnerability:

  • http://vil.nai.com/vil/stinger/

Symptoms

Loading of executable components by viewing a folder containing .lnk files, without clicking on them.

 

Method of Infection

This trojan targets a specific vulnerability in the Microsoft Windows Shell as described in CVE-2010-2568.

 

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

Variants

    N/A

All Information

Overview -

This is a heuristic detection for exploits that targets a specific vulnerability in the Microsoft Windows Shell as described in CVE-2010-2568.

At the time of research, known malware has been discovered to be exploiting this vulnerability in the wild, which allows arbitrary code execution via a maliciously crafted .lnk file. They have been noted to spread via removable USB drives, and potentially could be used over shared folders, WebDAV or other similar means.

Characteristics

Characteristics -

------ Updated on July-08-2011 -------

"Exploit-CVE2010-2568" is a generic detection for specially-crafted, malicious shortcut files that exploit the vulnerability in windows shell.

This vulnerability is exploitable when any Windows application that displays shortcut icons, such as Windows Explorer, browses to a folder containing a malicious shortcut. The exploit can be triggered without any user interaction, regardless where the shortcut file is located.

The shortcut (.lnk) file points to the malware (setup1092.fon) stored on a USB device using the device descriptor, as shown in below example:

\\ IFLMUD5IM0425\ FCRJBat\ setup1092.fon

When a user browses a folder that contains the malicious LNK file, then the malware (setup1092.fon) gets executed immediately without any user interaction.

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.

----------

This is a heuristic detection for exploits that targets a specific vulnerability in the Microsoft Windows Shell as described in CVE-2010-2568.

At the time of research, known malware has been discovered to be exploiting this vulnerability in the wild, which allows arbitrary code execution via a maliciously crafted .lnk file. They have been noted to spread via removable USB drives, and potentially could be used over shared folders, WebDAV or other similar means.

Please look here for more details on CVE-2010-2568 and the vendor's advisory:

  • http://www.microsoft.com/technet/security/advisory/2286198.mspx

The current Stinger also provides detection for .lnk files exploiting the CVE-2010-2568 vulnerability:

  • http://vil.nai.com/vil/stinger/

Symptoms

Symptoms -

Loading of executable components by viewing a folder containing .lnk files, without clicking on them.

 

Method of Infection

Method of Infection -

This trojan targets a specific vulnerability in the Microsoft Windows Shell as described in CVE-2010-2568.

 

Removal -

Removal -

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

Variants -

    N/A