14 DAY TRIAL // Security researchers warn about a new information stealing trojan which hijacks file shortcuts in order to ensure its execution after reboot, instead of adding registry entries.
According to malware analysts from German antivirus vendor Avira, upon execution, the trojan searches for .lnk (shortcut) files on the desktop and in a predefined set of folders.
It reads the target of those shortcuts and renames the files to click_[original_name].exe.
It then creates copies of itself with the original names in the same locations in order to be executed when users click on the shortcuts.
The copies contain instructions to run the renamed files after being executed themselves, in order to cover up the hijacking.
"The user will usually not notice that the target behind the lnk files is replaced. This is part of the strategy of the Trojan to remain undetected as long as possible," explains Alexandru Dinu, a virus researcher at Avira.
Once running in memory, the trojan monitors browsing sessions for login attempts on a list of hardcoded websites, including PayPal, Google, YouTube, Yahoo! and MSN.
Some Chinese sites like youku.com, tudou.com, sogou.com or soho.com are also targeted, possibly suggesting this threat's origin.
Furthermore, the login information captured by the trojan is sent to a website hosted on a server in China.
"The Trojan itself is written in Visual Basic and is not packed or otherwise obfuscated in any way. Avira protects from this threat and detects it as TR/Spy.Clickpal.A," the Avira virus researcher notes.
Unfortunately, the Avira advisory doesn't say how this trojan spreads on the Internet, whether its through drive-by downloads, infected emails or some other technique. However, as always users are advised to always have a capable and up-to-date antivirus product running.