Right-click a file with the extension whose association you want to change, and then click Open With. In the Open With dialog box, click the program whith which you want the file to open, or click Browse to locate the program that you want. Select the Always use the selected program to open this kind of file check box. LNK files are also known as Shortcut Files that are being used as a reference by Windows to an original file containing the shortcut target type, filename, location, the program that can open the file, and a shortcut key which is optional. Did your computer fail to open a lnk file? We explain what lnk files are and recommend software that we know can open or convert your lnk files. Did you enjoy using our free file extension. When you click a.lnk file shortcut, it launches the program that is associated with the.exe file that the shortcut refers to. The.lnk files will appear on your computer desktop as an icon with a small, curled arrow. These files can be very useful when you want quick access to an application that you use frequently. Steps to remove lnk shortcut file. Shotcut virus.Also visit my site www.ctrlproblem.comAnd my blog www.ctrlproblem.com/blog.

Malware

We have seen an increase in attacks that leverage malicious LNK files that use legitimate apps—like PowerShell—to download malware or other malicious files.

Update as of May 30, 2017, 5:00 AM CDT to update the date referencing Trojan downloaders that used .zip files within .zip files from '2016' to '2017'.

PowerShell is a versatile command-line and shell scripting language from Microsoft that can integrate and interact with a wide array of technologies. It runs discreetly in the background, and can be used to obtain system information without an executable file. All told, it makes an attractive tool for threat actors. There were a few notable instances where cybercriminals abused PowerShell: in March 2016 with the PowerWare ransomware, and in a new Fareit malware variant in April 2016. Because this seemed to be an upward trend, security administrators became more familiar with how to prevent PowerShell scripts from doing any damage.

However, cybercriminals are staying ahead of the curve by using alternative means of executing PowerShell script—Windows LNK (LNK) extensions. LNK files are usually seen by users as shortcuts, and used in places like the Desktop and Start Menu. LNK was actually already used as an attack vector as early as 2013. And in early 2017, we noted how Trojan downloaders used a .zip within a .zip to disguise a LNK file attachment that led to the Locky ransomware.

Now, we’re seeing an increase in attacks that leverage malicious LNK files that use legitimate apps—like PowerShell—to download malware or other malicious files. To illustrate how the trend of using LNK files is rising, note how one single LNK malware (identified by Trend Micro as LNK_DLOADR.*) has had a significant jump in detections since January 2017. The steep rise shows how popular this method is becoming:

Figure 1. Detected LNK_DLOADR over a 4 month period

Recent LNK-PowerShell and ChChes attacks

In October 2016 we saw attackers using the combination of LNK, PowerShell, and the BKDR_ChChes malware in targeted attacks against Japanese government agencies and academics. The attack used a fake .jpg extension to camouflage the malicious PowerShell file.

Figure 2. Attack used to compromise Japanese targets in October 2016

My Downloads Folder Windows 10

In January 2017 we spotted the group APT10 (also called MenuPass, POTASSIUM, Stone Panda, Red Apollo, and CVNX) using a similar attack for a wide-spread spear phishing campaign. In this version, the LNK file executes CMD.exe, which in turn downloads a fake .jpg file hiding the malicious PowerShell script.

The group has continued to evolve their cyberespionage activities, and in April 2017 they used a similar strategy to also download BKDR_ChChes, which is a popular malware used in targeted attacks.

New LNK-PowerShell attacks

We identified one campaign, likely still ongoing, that has a new and complicated LNK strategy. These attackers seem to be using several layers of command line, built-in, Windows tools. They send a phishing email with lures that push the victim to “double click for content”, typically a DOCX or RTF file embedded with a malicious LNK. Instead of directly executing PowerShell, the LNK file will execute MSHTA.exe (a file used for opening HTML applications), which executes a Javascript or VBScript code that in turn downloads and executes the PowerShell script. The PowerShell then executes a reverse shell (like Metasploit or Cobalt Strike) to complete the compromise.

Figure 3. Complex LNK attack leveraging MSHTA.exe files

Last month we identified another spear phishing campaign also using a combination of LNK and PowerShell. Unfortunately, the Command and Control (C&C) server where the main payload was stored is no longer accessible.

Their strategy seems to have fewer layers: the LNK file is embedded in a document file and if a user double clicks to open the message, it executes a PowerShell file (or a similar Windows command line tool) to download another script. The other script then downloads the main payload.

Figure 4. A less complicated LNK-PowerShell attack

We believe this specific attack may be politically motivated due to the economic and controversial subject of the decoy document. However, a full analysis is tricky because the trail ends when one of the C&C servers dies. Without the full picture, it is difficult to associate this type of attack to known campaigns.

Hidden LNK commands

In many cases, these malicious LNK files can reveal valuable information about the attacker’s development environment. To help get this information, a quick analysis is possible by viewing the properties of the file.

However, we are encountering cases where the command line argument is so long that it is no longer fully visible in the Properties > Shortcut window. When viewed, only the target application (CMD.exe, MSHTA.exe, and other non-malicious command line applications) is seen.

Figure 5. Only the target application is visible

Our tests revealed that the maximum length for Shortcut > Properties > Target is only 260 characters. Anything longer than that will not be visible. However, the maximum length for a command line argument is 4096 characters.

The attacker actually pads several spaces or newline characters before the malicious argument. Using a parser tool reveals that it is much longer (figure 6), though it still works normally:

Figure 6. Padded file hiding malicious code

Attackers take advantage of this to try and disguise or hide the malicious portion of the code. This padding strategy may prevent a quick analysis of a LNK file, but any LNK parser can still extract the arguments without any problem.

Recommendations and best practices

Malware developers continue to upgrade their tools and look for different ways to deliver their malicious payloads. Leveraging these LNK files is another strategy, but there are ways to prevent and mitigate these threats:

• Upgrading PowerShell to version 5, which is available as part of the Windows Management Framework and included on Windows 10, is recommended. Using Group Policy to turn on logging makes it easier to check for breaches.
• Users and enterprises alike should be wary of executable files received through email. Most files ending in *.EXE are auto-rejected on an email server, but if security is a concern then administrators should consider adding *.LNK to the list
• It is similarly not advisable to open any LNK file received via email (or from anywhere outside your machine).

To identify if it is a LNK file or not:

1. If inside an archive (e.g. WinRAR, WinZip), the LNK extension is clearly visible, as well as the “Type” (it says “Shortcut”).
2. For any Windows folder, you have to modify the registry if you want LNK files to be displayed. A small overlay arrow icon pointing to the upper right is one of the identifiers of a LNK file. Another way to do this: switch the Windows folder to “Details View”, then check the “Type”.
3. For LNK embedded in Word documents, users have to be aware of these types of attacks to know what to look for. The bottom line is: never open these kinds of documents without verifying the source. If your organization does not need any packager objects, then there is a way to disable the feature totally by editing the registry.

Trend Micro™ Smart Protection for Endpoints with Maximum XGen™ security infuses high-fidelity machine learning into a blend of threat protection techniques to eliminate security gaps across user activity and any endpoint—the broadest possible protection against advanced attacks.

Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to today’s stealthy malware and targeted attacks in real-time. It provides a comprehensive defense tailored to protect organizations against targeted attacks and advanced threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect threats, even without any engine or pattern update.

Most computer users will know that certain locations on your computer can store information about what you have done. Web browser history is one area that everyone knows can store computer and personal data. In Windows there are other less well known places that can record information you wouldn’t necessarily expect. Some are used when looking for forensic data and determining the history of certain files. One of those areas is the humble Windows .LNK shortcut file.

On the face of it a simple shortcut is a tiny file that points to another file, such as an executable to launch a program from your desktop. Some details about the shortcut can be obtained by right clicking on it and clicking Properties. The Shortcut tab shows things like where the target file is located while the Details tab will show the date when the shortcut was created. But there’s much more to a standard shortcut than you might think.

Actually, all .LNK shortcut files contain large amounts of data that identify the computer on which they were created as well as the computer they are currently on. For instance, inside the file data the network adapter MAC address and name of the original computer is stored along with any used network paths. Even the label, type and serial number of the drive it was created on is viewable. There is also much more data relating to times and dates to be found.

If you want to look at what data is being stored inside your shortcuts you will need a third party tool to decode that information as something like a hex editor will just show mostly gibberish. Here are 5 free tools for you to try out.

1. Lnkanalyser

In terms of ease of use, Lnkanalyser is about as simple as it gets for a command line tool. The amount of information it displays over and above the Details tab in File Explorer is quite reasonable although some other tools listed here can show more. The only argument needed is to supply the path and filename of the .LNK file.

lnkanalyser -i [path]shortcut.lnk

Normal information for the paths and dates/times of the shortcut and the file it references are shown. In addition, you can view normally hidden details such as original timestamps, the name, serial number and type of drive the shortcut was created on, the name of the computer it was created on, network path/name and also the MAC address of the network adapter on the original computer.

Download lnkanalyser

2. Windows File Analyzer

As the name suggests, Windows File Analyzer is a dedicated tool for gathering all sorts of information about specific files on your computer. That includes thumbnails, Windows Prefetch files, Index.DAT files, Recycle Bin files and lnk shortcuts. The program is multi tabbed so you can have several analysis processes open at once. It’s also a portable standalone executable.

Click the green/yellow button or the option in the File menu to analyze some shortcuts, browse for the folder and a list of all .LNK shortcuts will appear. The window will give standard details like created, written and accessed dates along with the more advanced data like hard disk name and serial, computer name and network card MAC address. Double click to get the same information in a box. Clicking to expand the entry can also give creation dates for all folders in the path to the file. Reports can be printed out but not directly saved to a file.

Download Windows File Analyzer

3. LECmd

Although LECmd is a command line tool it does require .NET Framework 4.6 to function, so everyone other than Windows 10 users will need to have installed it. The tool doesn’t have too many arguments and you can view what’s available by simply typing lecmd.exe into Command Prompt. To get data for a single .LNK file use -f or -d to process a directory of files.

lecmd -f [path]shortcut.lnk
lecmd -d path

LECmd has the ability to output the information direct to a CSV, XML, HTML or JSON file. Supply one or more of the arguments --[html/csv/xml/json] and the target directory to save each file. Add -q for a large folder full of shortcuts to skip outputting to the console and decrease processing time.

lecmd -d [path] --html C:html --xml C:xml --csv C:csv -q

The output is detailed and shows some quite advanced information such as path and file accessed and created dates, icon index and window information, hard drive type/serial/label, network share information, machine ID, MAC address and network adapter vendor.

Download LECmd

4. Link Parser

Link Parser is by forensics and security firm 4Discovery. It’s a simple and completely portable tool to read a sizable amount of information from an lnk shortcut file. All the gathered information can be saved out to CSV file for future use. One issue we encountered while using Link Parser was the file open option didn’t seem to work, so opening a folder will have to be used instead.

After opening a folder containing some .LNK shortcut files, you’ll get quite a bit of information to read. All the current and original file creation dates and times are available along with useful data like original drive type, drive name, drive serial number, network name, relative path and computer name. Interestingly, Link Parser shows the current VolumeID, ObjectID and MAC address and also those values when the file was created. Note you will have to close and reopen the program to clear the data from the window.

Download Link Parser

5. LNK Parser

LNK Parser is another command line tool but it can also be used without manually typing commands. To do that double click the LNK Parser executable, drop a .LNK shortcut or folder onto the window. Optionally generate a report (supply the path if you selected to generate a report), answer a couple of simple questions and press Y or N if you want the output sent to the console window. You will also get the same steps by typing lnk_parser_cmd directly into Command Prompt without arguments.

The command line options are basically the same manual arguments for the wizard steps.

lnk_parser_cmd -o [save report path] -w (html report) -c (csv report) path[shortcut.lnk]

The amount of information is similar to other tools here and you get the more basic data as well as the hidden data. This includes source drive details, NetBIOS name, MAC address, folder path attributes with created and accessed dates/times and all folder ID data.

Download LNK Parser

Open Bak File Windows 7

6. LNK File Previewer

LNK File Previewer is a freeware version of the tool taken from the commercial Simple Carver Suite forensic software. The program is a bit old now dating from 2008 but seems to work fine. One minor issue is all files inside a folder are shown in the user interface and if they are not .LNK shortcuts will just show as an invalid file. LNK File Previewer is portable but comes in a RAR archive so you will need something like 7-Zip or WinRAR to unpack it.

To read the data for all shortcuts in a folder go to Process > Folder and find the target location. Before that optionally uncheck Recurse Sub-Folders at the bottom on the window to not go down layers looking for files. The amount of data shown is not as much as some tools but you still get useful details like MAC address, computer name, network path, hard disk type, serial and name, and a few useful dates. Clicking on an entry shows the basic details below. All the information for all processed files can be exported to CSV file.

Download LNK File Previewer

Tip: If one of the command line tools provides you with better information but you don’t really like using the Command Prompt every time to use it, there is a simple solution. Create a small batch file and drop the shortcut onto the .BAT file icon. As an added option open the results automatically in Notepad. For example, using Lnkanalyser you can create something like this:

@echo off
lnkanalyser -i %~1 >%temp%lnkfile.txt
Notepad %temp%lnkfile.txt

Save the file as batchname.BAT and drop a shortcut onto it. The results will be output to lnkfile.txt in the TEMP folder and then Notepad will open the text file. You can of course send the results to a CSV or HTML file within the program instead of opening Notepad. Simple but effective.

You might also like:

6 Tools to Analyze Programs that Auto Start in Windows8 Free Tools to Find What Files and Folders are Taking Up Hard Drive Space10 Free Tools to Securely Wipe Free Disk Space Preventing Recovery

What Is A Lnk File

Copy Windows XP Installation Files to Local Hard Disk SourcePath2 Tools to Search Any Files on Local Area Network Shared Folders

Open Lnk Files Online