We have been struggling with this on and off for the last week or so. The first time it was noticed on a relatively open network share, so we just assumed that a user had inadvertantly made the changes. After the second time we set about investigating it, and quickly found the files that the shortcuts were opening along with the "legitimate" target.
I think a good starting point is to do a full scan of whatever directory is storing the suspect infected files (not the shorcuts, but the "bonus" files these shortcuts are pointing to). They are usually marked as hidden and system files, so you will need to "show hidden" and "not hide system files" to see them. For us, there were half a dozen suspect files in these directories, all created at the same time. If scans of these folders come up clean (ours initially did), submit samples to your AV provider. For any Sophos users, thats here - www.sophos.com/support/samples. For us, this got the files in question classified and within 30 minutes we had IDE updates that could detect and remove it.
In addition to updating and scanning both servers and end devices, we started running a handy tool from Sophos called Sophos Source of Infection Tool, which gives names, timestamps and IP addresses of files being writted to specified directories. Running this on network fileshares helped us identify and clear infected hosts.
Last edited by mistersparky; 16th February 2013 at 11:28 PM.
We have had this virus. It is spread by memory sticks. First, you need to break the cycle of infection by disabling memory sticks otherwise it just keeps reinfecting every time someone plugs one in. The virus copies two files to the root of a share, if I remember correctly one was an autorun file and other had a random name with exe extension but looked like an msdos logo. You need to delete these from the drives, and depending on how you have set permissions up, it could be everywhere. You may see them pop straight back in there, this is the reinfection and you can look at the file properties to identify who created it and deal with those computers separately. To make your files visible again you need to open a cmd prompt to the folder which is hidden and enter the following command:
attrib -h -r -s i:\*.* /s /d
This is taken from this website but there is also a tool to help with this mentioned on the site. I didn't use that. You will need to change the drive letter and path of the command. It was a bit of experimenting but I got there in the end.