New Information Stealing Trojan Hijacks Shortcuts

[Peaches]

New Information Stealing Trojan Hijacks Shortcuts

Security researchers warn about a new information stealing trojan which hijacks file shortcuts in order to ensure its execution after reboot, instead of adding registry entries.

According to malware analysts from German antivirus vendor Avira, upon execution, the trojan searches for .lnk (shortcut) files on the desktop and in a predefined set of folders.

It reads the target of those shortcuts and renames the files to click_[original_name].exe.

It then creates copies of itself with the original names in the same locations in order to be executed when users click on the shortcuts.

The copies contain instructions to run the renamed files after being executed themselves, in order to cover up the hijacking.

"The user will usually not notice that the target behind the lnk files is replaced. This is part of the strategy of the Trojan to remain undetected as long as possible," explains Alexandru Dinu, a virus researcher at Avira.

Once running in memory, the trojan monitors browsing sessions for login attempts on a list of hardcoded websites, including PayPal, Google, YouTube, Yahoo! and MSN.<br style="">

More info. .. http://news.softpedia.com/news/New-Information-Stealing-Trojan-Hijacks-Shortcuts-172426.shtml