"Vobfus and Chymine" malware families using .LNK vulnerability detected, Protection Updates, Microsoft

Microsoft added detection for two new malware families using the vulnerability discussed in "SA2286198":"First is, V(isual Basic) + obfuscated = Vobfus been using shortcut files as a social engineering technique to get users to run its code. However, these shortcut files "didn't" automatically run. Vobfus also drops autorun.inf file to run its copy in the […]

Microsoft added detection for two new malware families using the vulnerability discussed in "SA2286198":

"First is, V(isual Basic) + obfuscated = Vobfus been using shortcut files as a social engineering technique to get users to run its code. However, these shortcut files "didn't" automatically run. Vobfus also drops autorun.inf file to run its copy in the drive if Autorun is enabled. New samples of Vobfus.H, drop a specially-crafted, malicious shortcut file that exploits SA2286198. We detect these malicious links as Exploit:Win32/CplLnk.B; same detection as some of the shortcut files associated with vulnerability exploited by Stuxnet family. Another, new malware Chymine, or Trojan:Win32/Chymine.A launches by a malicious shortcut detected as Exploit:Win32/CplLnk.A. It drops another trojan TrojanSpy:Win32/Chymine.A, which log user keystrokes and download other malware," revealed MMPC blog.

Microsoft Security Essentials prevent the exploit, or you can disable displaying shortcut icons Knowledge Base Article KB2286198.

[Source]