This can be achieved because the symbolic links can call the command line (cmd.exe) without any limitation to the parameters that will be provided.
Figure 1 - The execution process of the symbolic link
The batch file gets executed with no problem and generates the vbs (visual basic scripting) malware downloader which finally delivers the malware to the compromised computer.
But lets take a closer look in the malicious symbolic link first.
As shown in figure 2.1, in order to copy itself and execute the new batch file (poc.bat) the symbolic link's target is the windows command line:
Figure 2.1 - The properties of the symbolic link
Figure 2.2 - The properties of the symbolic link
%windir%\system32\cmd.exe /c copy note.txt.lnk %tmp%\poc.bat & start %tmp%\poc.bat & exit
The "Start in" field needs to be clear so the command line will always start in the path where the symbolic link gets executed (figure 2.2), otherwise the file copy will fail.
Figure 3 - Symbolic link opened with notepad++
In this simple proof of concept (figure 3) the malicious symbolic link only downloads a text file from vipersec. The only disadvantage is that the malicious symbolic links generated in Windows 7 and above do not work in Windows XP and vice versa.
You can download the proof of concept to test it by yourself if you wish. Make sure that you unzip the files first. There are two versions:
Windows 7, 8, 10: Windows7plus_poc.zip
Windows XP: WindowsXP_poc.zip
Continue to the 2nd part, feedback and comments are always welcomed.