Worm:Win32/Shetram!lnk: What It Means and How to Remove It

by Wilbur Woodham
May 13, 2026

Worm:Win32/Shetram!lnk is commonly associated with shortcut-based worm behavior. Check removable drives, startup entries, and recreated .lnk files.

Worm:Win32/Shetram!lnk is a Microsoft Defender detection that points to worm-like shortcut activity. The .lnk part matters: this type of infection often uses Windows shortcut files, removable drives, startup locations, or scripts to spread and relaunch itself.

What is Worm:Win32/Shetram!lnk?

Shetram is detected as a worm, which means the threat may try to copy itself, create deceptive shortcut files, or run from removable media. The visible file may be only a shortcut that starts a hidden script or executable. That is why deleting one shortcut does not always stop the infection.

Pay close attention to the detected path. If Defender reports a USB drive, shared folder, Startup folder, or a shortcut that points to a hidden executable, clean both the computer and the removable media.

Common signs

  • Files on a USB drive become shortcuts.
  • Hidden folders or scripts appear on removable media.
  • Defender detects Shetram after opening a flash drive.
  • Unknown startup entries launch scripts, shortcuts, or files from AppData/Temp.
  • The same .lnk files return after deletion.

How it spreads

Shortcut worms often spread through USB drives, shared folders, archives, and infected installers. A user clicks a shortcut that looks like a normal folder or document; the shortcut launches a hidden payload and may also open the expected folder to make the action look normal.

If you use the same USB drive on several computers, do not reconnect it to clean systems until it has been scanned and cleaned.

Manual verification checklist

  1. Open Windows Security – Protection history and copy the detected path.
  2. If the path is on a USB drive, disconnect the drive after noting the letter.
  3. In File Explorer, enable hidden items and file extensions.
  4. Check Startup apps and Task Scheduler for suspicious scripts or shortcut launches.
  5. Inspect the target of suspicious .lnk files before opening them.
  6. Scan all removable drives that were connected recently.

How to remove Worm:Win32/Shetram!lnk

  1. Let Microsoft Defender quarantine detected files.
  2. Disconnect removable drives and scan them one at a time.
  3. Delete malicious shortcut files and the hidden payloads they point to.
  4. Remove suspicious startup entries, scheduled tasks, and scripts.
  5. Run a full scan, then restart Windows.
  6. Reconnect the USB drive only after it scans clean.
  7. After cleanup, check that shortcuts and hidden files are not recreated.

FAQ

Why did my files turn into shortcuts?

Shortcut worms often hide real files and create .lnk files that launch malware. Do not open the shortcuts until the drive is scanned.

Can Shetram spread through USB drives?

Yes. Treat recently used removable drives as potentially infected and scan them before using them on another computer.

Is deleting the .lnk file enough?

No. You also need to remove the hidden payload, startup entries, scheduled tasks, and infected removable media.

About the author

Wilbur Woodham

Technical writer covering malware detections, unwanted programs, and browser-based threats. Wilbur turns research notes into step-by-step guides that Windows users can follow safely.

View all posts

Leave a Comment