Alert level

Exploit:Win32/CplLnk.A

(?)

Encyclopedia entry
Updated: Apr 17, 2011  |  Published: Jul 16, 2010

Aliases
  • CVE-2010-2568 (other)
  • Worm/AutoRun.JV (AVG)
  • Trojan.Agent.AQCL (BitDefender)
  • LNK/Stuxnet.A (CA)
  • Trojan.Stuxnet.1 (Dr.Web)
  • LNK/Autostart.A (ESET)
  • Trojan-Dropper.Win32.Stuxnet.a (Kaspersky)
  • Stuxnet!lnk (McAfee)
  • Trj/Trecu.Lnk (Panda)
  • W32/Stuxnet-B (Sophos)
  • W32.Stuxnet!lnk (Symantec)
  • LNK_STUXNET.A (Trend Micro)
  • Exploit.CplLnk.Gen (VirusBuster)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.143.79.0
Released: Jan 16, 2013 		Detection initially created:
Definition: 1.87.23.0
Released: Jul 16, 2010

 

Summary

Exploit:Win32/CplLnk.A is a generic detection for specially-crafted, malicious shortcut files that exploit the vulnerability that is currently exploited by the Win32/Stuxnet family. When a user browses a folder that contains the malicious shortcut using an application that displays shortcut icons, the malware runs instead.

Top

 

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).

Top

 

Technical Information (Analysis)

Exploit:Win32/CplLnk.A is a generic detection for specially-crafted, malicious shortcut files that exploit the vulnerability that is currently exploited by the Win32/Stuxnet family. When a user browses a folder that contains the malicious shortcut using an application that displays shortcut icons, the malware runs instead.
 
An example of an application that displays shortcut icons is Windows Explorer. No further user interaction is required, in most cases. In the case of Win32/Stuxnet, Exploit:Win32/CplLnk.A points to the malware stored on a USB device using the device descriptor, as in this pseudo-example:
 
\\.\Storage\Volume\USBStor\{CLSID value}\~WTR4141.tmp
 
Successful exploitation results in the malware running with the privileges of the logged-on user.
Additional Information
This vulnerability is referenced as Microsoft Security Bulletin MS10-046 and CVE-2010-2568.
 
Analysis by Peter Ferrie

Top

 

Prevention

Take these steps to help prevent infection on your computer.


Top

 

Recovery

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Microsoft Safety Scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.
Additional recovery instructions
This threat exploits a vulnerability discussed in Microsoft Security Bulletin MS10-046. Make sure that you install the updates available from Microsoft so that your software is no longer affected by the vulnerability.

Top

Provide feedback