Home / malware TrojanDownloader:BAT/Lnkget.F
First posted on 21 February 2019.
Source: MicrosoftAliases :
There are no other names known for TrojanDownloader:BAT/Lnkget.F.
Explanation :
TrojanDownloader:BAT/Lnkget.F is a detection for shortcuts which connect to an FTP server and download and execute arbitrary VBScript files. These downloaded files have in turn generally downloaded and executed game password stealing malware, such as variants of the Win32/Helpud family. Payload Downloads and Executes Arbitrary FilesTrojanDownloader:BAT/Lnkget.F may be spammed to users in instant messages or e-mail containing Chinese text. It uses shortcut icons that resemble those of text or image files, such as the following:
When these shortcuts are clicked upon, the malware contacts a specified FTP server using the provided username and password and downloads a VBScript file. This file is saved to the Windows directory and then executed. It may be detected as TrojanDownloader:VBS/Lnkget.D. In the wild we have observed an FTP server at the following host being used for this purpose: www.g03z.com Examples of filenames used to save the downloaded file include: x.bat t.vbs When run, the VBScript file also connects to an FTP server (in most cases the same one it was obtained from) and downloads a further file, which it saves to C:.exe (eg C:u.exe), and then executes. These files have generally been game password stealing malware, such as variants of the Win32/Helpud family. The VBScript file also downloads a clean text or image file from a separate web server (usually with an address similar to www.ttff<3 digit number>.com, such as www.ttff884.com), and then displays it. This is most likely an attempt to prevent the user from noticing that malware has been installed. The VBScript file may also attempt to stop the Application Layer Gateway (sharedaccess) service, and therefore disable the Windows Firewall and Internet Connection Sharing. Analysis by Huzefa Mogri Last update 21 February 2019
