Microsoft has released a security advisory (2286198). The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut. This vulnerability is most likely to be exploited through removable drives. For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited. For Windows 7 systems, AutoPlay functionality for removable disks is automatically disabled. Although Microsoft has given no official statement on the Zero-day, independent security researchers could verify it. The first stage malware that uses the Zero-day vulnerability drops and executes two files. One of the files is a trojan horse; the other one is a rootkit that hides the trojan horse. The rootkit uses drivers that were digitally signed by Realtek, so no warning is displayed in Windows when the drivers are installed, even though the certificate used to sign the files expired in June 2010. FAQ’s on this threat : 1. What is the issue with .LNK files and how can it be exploited? A. Security Researchers analyzed malware that was exploiting a design flaw in parsing shortcut (.LNK) files. This issue gets triggered because the Windows Shell component does not validate parameters sent out in the shortcut. This issue can be exploited via any mechanism that makes the user load the icon of the .LNK file. 2. Does the malware need a payload (shellcode) to exploit this flaw? A. Since this is a design issue in the way shortcuts are parsed, no malicious payload (shellcode) is required to exploit this flaw. The .LNK file needs to point to a malicious file, the path of which needs to be hardcoded in the shortcut. 3. What are the requirements to successfully exploit this flaw? A. This flaw can be triggered when Windows Explorer or Internet Explorer tries to render a malformed .LNK file that point to a malicious executable. The user need not double-click on the .LNK file to trigger the vulnerability; just opening the folder containing the malicious shortcut is enough to get infected. 4. What are the most likely attack vectors used to exploit this vulnerability? A. USB drives are likely to be affected the most. The malware discovered in the wild was exploiting this issue via a USB drive. File sharing over SMB is another likely vector to exploit this flaw and this can lead to widespread malware infections over internal networks. WebDAV shares are equally susceptible to exploitation. 5. What are the affected platforms? A. Microsoft has acknowledged that all supported platforms are affected. More details are available in the Microsoft security advisory. Windows XP SP2 is not listed in the list of affected platforms from Microsoft, so there is a chance of Windows XP SP2 users might remain vulnerable. 6. How widely is the issue being exploited? A. The issue is known to be exploited by malware in the wild. Initial attacks were limited. However, an exploit module in metasploit was published today that uses WebDAV shares as an exploit vector. We expect wider exploitation of this issue. For information on this threat: http://www.securelist.com/en/blog?calendar=2010-07 http://blogs.technet.com/b/mmpc/archive/2010/07/16/the-stuxnet-sting.aspx http://isc.sans.edu/diary.html?storyid=9190 Exploit code:http://www.securityfocus.com/bid/41732/exploit Definitions from Symantec For this Threat: Symantec W32.Temphid Symantec(BETA) W32.Temphid Symantec(Online) W32.Temphid SymantecW32.Stuxnet!lnk http://www.symantec.com/business/security_response/writeup.jsp?docid=2010-071810-1516-99&tabid=2 Note: Virus definitions dated July 19, 2010 or earlier may detect this threat as W32.Temphid!lnk