[KB6099] Restore folders affected by Win32/Zlader.L malware

• Your ESET product detects Win32/Zlader.L
• Folders on file shares no longer open or trigger threat alerts. Affected folders appear as shortcuts (.lnk files).

Win32/Zlader.L affects network shares. The threat will rename and hide folders, then replace these folders with .lnk files with the same name as the original folder. These folders on file shares will no longer open or trigger threat alerts. 

To restore affected folders, perform the following steps on the server hosting the affected file shares:

1. Check ownership of the shortcut files to identify users who might also be infected. If a user is infected, their workstation should be isolated from the network (it is common to see Win32/PSW.Papras and Win32/PSW.Fareit on these workstations).
    
2. Check the properties on one of the affected shortcut (.lnk) files to identify the presence of a malicious file (see Figure 1-1 for an example). If a malicious file is still on the system, then the file should be removed. You can verify the presence of a malicious file by copying the contents of the Target field and pasting them into a blank Notepad document.
   

   

   Figure 1-1
   Click the image to view larger in new window

3. Show hidden files or folders. After doing so, you will see folders with names in the following format: {12345678-7891-1112-8475-141516451687}. These are your original folders.
   

   

   Figure 1-2
   Click the image to view larger in new window

4. On the first shortcut:
   1. Document the name of the shortcut.
   
   
   1. Check the properties of the shortcut (right-click and select Properties from the context menu). The last {GUID} is the folder (in the Target field) that you need to rename back to the name you documented in step a above. 
   
   
   1. After confirming your folder has been correctly renamed, delete the corresponding shortcut file (we recommend that you send the file to the Recycle Bin).
       
   2. Unhide the hidden files revealed in step 3. To do so, right-click a hidden folder, select Properties from the context menu, select the check box next to Hidden and then click OK. Repeat this step for all hidden files or folders.
       
   3. Repeat these steps for all malicious shortcut files. Note that it is possible that not all shortcuts will be malicious.
       
5. Scan your computer. If you do not have an antivirus solution installed, you can scan your system for free using ESET Online Scanner. Alternatively, you can contact ESET and learn more about trial versions of ESET business products.