0

Today Ms Security Essentials thought that a .lnk in my computer was infected and quarantined it.

enter image description here

It seemed legit to me, just a shortcut to my H2 (database) console script, which I had installed (in a non standard directory) months ago. It also looked strange to me that it quarantined the shortcut but not the target script.

So, my first question: why would some antivirus/antimalware product consider dangerous a .lnk file, and not so the target file ? Can some .lnk file in itself be dangerous in some way ? (for example, for being malformed... ) ?

The online information for that Trojan is not very informative.

I restored the quarantined shortcut, and, again, I don't see anything suspicious. I don't know the internals of the .lnk format, but at least it's recognized as a shortcut, and the properties panel looks right to me:

enter image description here

Would you agree that this is a false alarm ? Can anybody imagine why this could be considered an infected or risky file?

leonbloy
  • 119
  • 4
  • Have you tried looking at this .lnk file with a (sandboxed) bitwise editor? It could have had its header injected with malicious code so that the function of the file doesn't change, and you can gather information from it, but executing it could trigger something. – psosuna Mar 27 '19 at 00:20
  • Not a complete answer, but: for all practical purposes, shortcuts *are* scripts. They're single-line only (plus the ability to set the working directory, which could save you a `cd` line), but a shell can pack multiple commands into a single line (PowerShell even supports base64-encoding entire script files and passing them as a single line). Since this one invokes `cmd.exe` - which is entirely unneeded for a .BAT file, incidentally, unless you've changed the default way those are opened - it is for all intents and purposes a one-line script. I don't know why it was quarantined, though. – CBHacking Mar 27 '19 at 01:16

0 Answers0