Persistent adware that displays unwanted advertisements to computer users can be a nuisance or worse. An example of persistent adware is the new StartPageAdware, which modifies a user's browser settings without permission so that an advertisement is displayed whenever the user opens the browser. Adware of this nature has become a common problem today. Yet, detecting and remediating persistent adware is a challenge for computer security applications (e.g., anti-virus software and the like). Variants of persistent adware change frequently, making its detection very difficult.
One trick used by persistent adware to avoid detection is the use of a folder shortcut. A folder shortcut is a special case of a file shortcut. A file shortcut in Microsoft Windows® is a small file containing a link to a target object or the name of a target program. A shortcut file can also include parameters to be passed to the target upon activation. When a shortcut is selected, the target is invoked. Thus, the shortcut file acts as an alias for the target. A shortcut can be represented by its own icon, which can be placed on a desktop, in an application launcher panel such as the Windows start menu, or in the main menu of a desktop environment.
A folder shortcut is, as its name indicates, a shortcut that uses a folder as the alias for its target. In current versions of Windows, a folder shortcut is implemented as a folder containing two files: target.lnk and desktop.ini. The target.lnk file contains the target of the folder shortcut. As with any shortcut, this can be in the form of the name of an executable file (or a script or the like) to launch when the shortcut is selected, with parameters to pass to the executable. A destop.ini file is a text file used by Windows to customize the appearance and behavior of the folder in which it resides. In the case of a folder shortcut, desktop.ini contains some special values that configure the folder to act as a folder shortcut. From outside of an Explorer based browsing mechanism, such a folder simply looks like a standard folder containing the target.lnk and desktop.ini files. The folder and its contents can be seen from outside of Explorer, but in that context the folder does not act as an alias to the target specified in target.lnk. However, when accessed from Explorer, a folder configured in this manner acts as an alias for the target specified in target.lnk. In other words, the customized folder becomes a shortcut to the target.
As noted above, persistent adware can use a folder shortcut to avoid detection and removal. To do so, the adware can create a folder shortcut in which the target results in the display of an unwanted advertisement, and then trick the user into activating the shortcut. For example, the adware can create a folder shortcut that activates a legitimate web browser but passes it the URL of an advertisement. The adware then replaces the icon of the folder shortcut with the icon of the browser, so that when the user activates the browser the advertisement is displayed instead of the user's homepage. A folder shortcut can be used by other types of malware to display or run undesirable content other than advertisements, for example to display a phishing site or to launch a malicious program such as a computer virus. In any case, the adware or other malicious party can frequently change the specific folder used as the shortcut and/or its target. Furthermore, when accessed from outside of Explorer, the folder does not act as a shortcut, but simply appears to be a folder containing a few files. These factors make it difficult to detect and disable malicious programs such as adware that uses folder shortcuts.
It would be desirable to address these issues.