Malicious LNK worm remediation workflow

Follow these steps to remediate a malicious LNK worm attack.

Introduction

This knowledge base article has useful information on dealing with an LNK worm. See How to Investigate LNK Malware.

Identify the threat

To confirm that you have an active LNK worm, do as follows.

Check your alerts to see whether Sophos is detecting or cleaning .lnk files.
Look for files with a .lnk extension being repeatedly generated where you wouldn't expect to find them, for example your file shares.

These files are repeatedly dropped in a location after being detected and cleaned. Your devices have an infection in memory which is dropping the files. You need to find the source of the infection.
Your users may find that their shortcuts no longer work correctly.

Investigate using Source of Infection

To find the source of the infection, do as follows:

Download and run the Source of Infection tool. See Sophos source of infection tool (SOI): How to download and use.
1. Move the Source of Infection tool to the device you want to investigate.
2. Extract SourceOfInfection.exe to the root of the C drive.
3. Open Command Prompt as an administrator.
4. Find and run SourceOfInfection.exe.
5. Press Enter to run the command.
6. Leave Source of Infection running. You must leave the command prompt window open to do this.
7. When a new LNK detection occurs on the device, stop Source of Infection by closing the command prompt window.

Review the log file to find out where the infection is coming from. You can find the log file in %temp%\Source of Infection Log.csv.

This is an example of a log file.

Date/Time	Filepath	Process/Network	Process path/Machine name
27-12-19 11:30	`C:\TestShareOn2016\__\DriveMgr.exe`	Network	192.168.30.141
27-12-19 11:30	`C:\TestShareOn2016\.lnk`	Network	192.168.30.141

You should have positive confirmation of an IP that is possibly infected and needs remediation actions.

In this example, we have identified 192.168.30.141  as dropping .LNK and DriveMgr.exe in a share called TestShareOn2016.

Remediate an active LNK worm

To remove the worm, do as follows:

If the infected device doesn't have Sophos Endpoint Protection, install it.
Run a full scan.

This removes the infection.
If you're still getting .lnk files dropped in the location, you have a novel infection. Find the .lnk file and Submit a Sample.
Download Autoruns for Windows and use it to find the worm.

See How to use Microsoft Autoruns to locate undetected malware.
Check the following locations as they're the most likely places you'll find the worm.
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Change the user account you're viewing. A non-standard user account may be loading the worm. To view other users in Autoruns, do as follows:
1. Click File > Run as Administrator.
  
  Wait for the information in Autoruns to reload.
2. Click Users and check each user account for the worm.
  
  This worm can hide under different user accounts. The following image shows an example of infected user account information in Autoruns.
When you've found the files, zip them to prevent the files from running.
Submit the files.

Sophos will respond to the sample submission. If the files are malicious, Sophos updates its signature files.
Do a full scan and check any new detections are cleaned.
If you still have signs of an active LNK worm, you have additional undetected malware on your devices. It may take several attempts to remove the worm, as a single variant or unprotected device can produce new .lnk malware files on protected and clean devices. To deal with this, do as follows:
1. Do full scans of all your devices.
2. Rerun Source of Infection to see where the infection is coming from
3. Repeat these steps until you no longer get .lnk malware files replicated onto your devices.

Malicious LNK worm remediation video

This video covers this workflow.