Malicious LNK worm remediation workflow
Follow these steps to remediate a malicious LNK worm attack.
Introduction
This knowledge base article has useful information on dealing with an LNK worm. See How to Investigate LNK Malware.
Identify the threat
To confirm that you have an active LNK worm, do as follows.
- Check your alerts to see whether Sophos is detecting or cleaning
.lnk
files. -
Look for files with a
.lnk
extension being repeatedly generated where you wouldn't expect to find them, for example your file shares.These files are repeatedly dropped in a location after being detected and cleaned. Your devices have an infection in memory which is dropping the files. You need to find the source of the infection.
-
Your users may find that their shortcuts no longer work correctly.
Investigate using Source of Infection
To find the source of the infection, do as follows:
-
Download and run the Source of Infection tool. See Sophos source of infection tool (SOI): How to download and use.
- Move the Source of Infection tool to the device you want to investigate.
- Extract
SourceOfInfection.exe
to the root of theC
drive. - Open Command Prompt as an administrator.
- Find and run
SourceOfInfection.exe
. - Press Enter to run the command.
- Leave Source of Infection running. You must leave the command prompt window open to do this.
- When a new LNK detection occurs on the device, stop Source of Infection by closing the command prompt window.
-
Review the log file to find out where the infection is coming from. You can find the log file in
%temp%\Source of Infection Log.csv
.This is an example of a log file.
Date/Time Filepath Process/Network Process path/Machine name 27-12-19 11:30 C:\TestShareOn2016\__\DriveMgr.exe
Network 192.168.30.141 27-12-19 11:30 C:\TestShareOn2016\.lnk
Network 192.168.30.141 You should have positive confirmation of an IP that is possibly infected and needs remediation actions.
In this example, we have identified 192.168.30.141 as dropping
.LNK
andDriveMgr.exe
in a share calledTestShareOn2016
.
Remediate an active LNK worm
To remove the worm, do as follows:
- If the infected device doesn't have Sophos Endpoint Protection, install it.
-
Run a full scan.
This removes the infection.
-
If you're still getting
.lnk
files dropped in the location, you have a novel infection. Find the.lnk
file and Submit a Sample. -
Download Autoruns for Windows and use it to find the worm.
See How to use Microsoft Autoruns to locate undetected malware.
-
Check the following locations as they're the most likely places you'll find the worm.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
-
Change the user account you're viewing. A non-standard user account may be loading the worm. To view other users in Autoruns, do as follows:
-
Click File > Run as Administrator.
Wait for the information in Autoruns to reload.
-
Click Users and check each user account for the worm.
This worm can hide under different user accounts. The following image shows an example of infected user account information in Autoruns.
-
-
When you've found the files, zip them to prevent the files from running.
-
Submit the files.
Sophos will respond to the sample submission. If the files are malicious, Sophos updates its signature files.
-
Do a full scan and check any new detections are cleaned.
- If you still have signs of an active LNK worm, you have additional undetected malware on your devices. It may take several attempts to remove the worm, as a single variant or unprotected device can produce new
.lnk
malware files on protected and clean devices. To deal with this, do as follows: -
- Do full scans of all your devices.
- Rerun Source of Infection to see where the infection is coming from
- Repeat these steps until you no longer get
.lnk
malware files replicated onto your devices.
Malicious LNK worm remediation video
This video covers this workflow.