Script: Unhide Network Drive Folders

There is an infection going around that hides all folders on a network drive and sets them as system folders. Here is a script I wrote that will remove the hidden and system attributes all folders/files in a directory you specify.
It uses the “attrib -h -s” and is not recursive into subdirectories.

For complete removal of the infection, naturally scan all machines. Remove any rouge autorun.ini files and rouge .exe files on the network drive.

Download: UnhideNetworkDriveFolders.v1.zip

I haven’t tested on all system setups and naturally comes with no warranty.

Update 3/22/2013

This script can only be run against a folder ( C:/Production/Shared ) not against an actual mapped drive ( S:/ ) at this time.

Update 3/27/2013

Here is a quick list of things to check regarding cleaning up the infection/worm.

  • Scan all PCs with Malwarebytes
    • Cleanup the the startup items
    • Cleanup and rouge exe files located
      • C:\User\%Username%
      • C:\User\%Username%\AppData
      • C:\User\%Username%\AppData\Roaming
    • Find proccess the infection is running under. Example:  jjhhgg.exe
  • Network drives, Flashdrives, External Harddrives
    • Delete all *.exe that mimic a folder and have a folders name
    • Delete autorun.inf
    • Delete x.mpg
    • Deltee anything else odd, rouge .exe files, photos files with .exe extentions
    • CMD Prompt, browse to the folder and run
      • attrib -h -s
      • Note this only unhides files, not folders.
    • CMD Prompt, browse to the folder and run
      • FOR /F "tokens=*" %i IN ('DIR /A:D /b') do attrib -h -s "%i"
      • Note this only unhides folders, make sure to have the quotation marks

 

  • Aaron

    any resolution found for this? We are having the same issue. Is it a specific piece of malware you have identified?

    • TheBox193

      There are a couple of variants that are out there, from what I can tell it is mostly likely the W32.Changeup