Recovering from the Windows Shortcut Icon Loading Vulnerability

You know you have the Windows Shortcut Icon Loading Vulnerability when your directories appear to be replaced by shortcuts, and you data appears to have disappeared. The data is not gone; malicious code has hidden your directories and set them to read-only. Here's how to get back to normal. …

If your Windows installation is up to date on its patches, then way back in August 2010 you received an update to protect your computer from this vulnerability. For this reason, the steps below presume that the problem appears on a removable, writable device such as a USB stick or external hard drive, and that your computer is protected from infection.

First, scan the removable device with a reputable antivirus. Once clean, repeat the scan to ensure that all malware has been removed. I have confirmed that F-Prot detects and eliminates the responsible malware, and that McAfee and Windows Defender do not.

By default the Windows file explorer hides certain files and directories. Follow these instructions to reveal your newly-hidden data. Hidden directories appear translucent to distinguish them from non-hidden files.

Delete all shortcuts. The malware only affects the device root, so drilling down into nested directories is not necessary.

Each hidden directory has been set to read-only, and the malware apparently damages the device's filesystem such that this attribute cannot be cleared. The quick-'n-dirty solution is to create a new directory, copy the original directory's contents into it, delete the original directory, and rename the new directory to match the old.

Repeat the previous paragraph for all hidden directories on the device.

You will notice that the new directories likewise appear to be read-only, but in fact are writable. I suspect that the malware damages the filesystem to produce this apparent result. For this reason you might find my quick-'n-dirty solution to be inadequate and prefer to reformat the device.

When finished, you may want to return Windows to its default setting of hiding certain data by reversing the relevant instructions above.

The CPL Icon Loading Vulnerability provides excellent technical background on the cause of the problem.


About Warren Post

So far: Customer support guy, jungle guide, IT consultant, beach bum, entrepreneur, teacher, diplomat, over-enthusiastic cyclist. Tomorrow: who knows?
This entry was posted in Uncategorized and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s