Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Network drive now shows folders as shortcuts.


  • Please log in to reply
3 replies to this topic

#1 poyer

poyer

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:49 AM

Posted 31 August 2016 - 04:37 AM

Hello Bleeping computer !

 

A relative has a problem with his network share (synology).

He uses Windows 7 as OS and other pc's have Windows 7 and 10.

After opening an infected email (i guess, he removed the email already so i never saw it), all folders in this networkshare are turned into shortcuts.

When looking at the properties of one of these shortcuts it says in target: %windir%\system32\cmd.exe /c start mydisk\drivers.exe "\'name of folder'

Offcourse clicking on these shortcuts doesn't open the folders.

the problem is that all computers with this network share all see the shortcuts and not the original folders.

when i go the synology via the browser all the folders seem to be normal in the synology OS.

I already scanned with adwcleaner, malwarebytes, combofix and Gdata on some computers. All to no avail.

Is this something you've encountered before?

Also malwarebytes deleted an item which was called AL.exe that whas created the same day as the opening of the infected email.

Already deleted this but the problem still remains.

 

(update): i already tried system restore. problem stays the same.

also tried to make a new shared folder on synology, copying everything to the new folder ( i did this in the synology os)

then from 1 pc i opened up the new shared folder and for 1 instance i see the folders as normal the next moment they are all turned to lnk files,

also the files are turned into lnk files. i am now trying to download the content of the folder via browser on the synology OS.

i hope the content of this zip file has the normal folders so i can reset the synology and try again with a new shared folder and copying back all the data.

here is a printscreen of the folder with properties of one folder open.

https://s17.postimg.org/k2nq9owm7/shortcut.jpg

 

Any help would be appreciated!

Thank you in advance.


Edited by poyer, 31 August 2016 - 08:40 AM.


BC AdBot (Login to Remove)

 


#2 Sebastian1234

Sebastian1234

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:49 AM

Posted 31 August 2016 - 12:30 PM

I saw this particular piece of malware this evening where I work.

 

The files should still be there and are marked by the malware as hidden system files.

 

It seems the malware:

  1. Only modifies one level into a filetree.
  2. Adds the myDisk\drivers.exe in that level.
  3. Marks all existing files and folders as system files.
  4. Creates .lnk links to all the folders and files in that level of the file tree that call: cmd.exe + myDisk\drivers.exe + original file/directory.

If you modify the settings of Explorer to show hidden system files they should still show up.

You can then change the properties of each file and folder to remove the System attribute.

 

In my case the files all seemed to be there and were not modified other than the file attribute change.

But I have not researched this further to be absolutely certain that the files where not modified in other ways, so be careful.

 

Also if you have opened the links the drivers.exe will have done it's work and may have infected the computer, but this is an assumption as I also have not researched this further.


Edited by Sebastian1234, 31 August 2016 - 12:34 PM.


#3 poyer

poyer
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:49 AM

Posted 31 August 2016 - 01:02 PM

Thank you for this quick response!  I will try this first thing in the morning.

I will post back after with results.



#4 poyer

poyer
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:49 AM

Posted 31 August 2016 - 03:29 PM

you were right ! all of them hidden with system attributes.

Also some files are created by this "malware" on the networkshare in question: one autorun.inf and a folder mydrive with the file drivers.exe in it. This file seems to be malware named ransom.cerber.

I ran an attrib -h -s -a * /s /d after deletion of all these files and everything seems to be in working order now.

 

Thanks again for the quick reply!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users