This is possible thanks to a component called DiskSpread

Aug 29, 2012 14:36 GMT  ·  By

Shylock, the Shakespearian malware, is making the rounds once again and, according to researchers from Symantec, it relies on some clever functions in order to avoid being detected by antivirus solutions.

The latest variants of the Trojan rely on social engineering tricks in order to spread, but they also come with a polymorphic packer that helps them evade detection.

One of the most curious components of Shylock is called DiskSpread, which allows it to spread via shared network folders and removable drives. This component searches the system for various types of documents and executable files.

Then, it creates a copy of the found files and marks them as hidden and system. The original files are replaced with shortcut files that bear the same name. When the victim clicks on the .lnk file, the genuine file is launched, but a component called Loader ensures that malicious elements are also executed in the process.

In case you’re a victim of Shylock, you must know that your files are not lost for good, they’re simply hidden. So once you cleaned up your device you can restore them by changing their attributes.