There are some torrrents showing up with .lnkextension (ex: movie.mp3.lnk, tvshow.mkv.lnk…) and automated software (Sonarr, Radarr, Lidarr, qBittorrent RSS Downloader) could pick those torrents (but not import).

These (fake) torrents include a .lnk file that executes a script on your Windows


HOW TO exclude from download on qBittorrent.

  • Go to Options -> Downloads

  • Enable “Exclude file names”

  • Add patterns:

(one by line)

*.mp4.lnk  
*.mp3.lnk  
*.mkv.lnk
*.torrent.lnk 

Or exclude all together: *.lnk


Example on VirusTotal https://www.virustotal.com/gui/file/e74f64df6ebaf3a1b6e3f42591eb6e87d2ac2828eb5a99fd8d3d82c140137fc9/detection

  • Lojcs@lemm.ee
    link
    fedilink
    English
    arrow-up
    5
    ·
    2 months ago

    How is the link file executing malware? Can you put any shell script as the target?

    • LordeMostarda
      link
      fedilink
      English
      arrow-up
      12
      ·
      2 months ago

      I am pretty sure a link file can open cmd/powershell with parameters to execute commands

      • montar@lemmy.ml
        link
        fedilink
        English
        arrow-up
        3
        ·
        2 months ago

        yep! I’ve found out browsing hacking/spamming site and i’ve found something too good to be true, it downloaded archive nested inside other archive and in it was silngle .lnk file leading to “the resource”. Peeking inside i’ve found powershell executing base64 (or base32?) encoded script (it’s got commandline option for that. if you want to ask wtf ask microsoft, and tell me), it dl’d some exe from some site and ran it, site was down alredy.

    • wizardbeard@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      8
      ·
      2 months ago

      You can put the script itself as the link. Shortcut to: powershell -command “Write-Host ‘Gonna pwn your shit’”