Windows Thread, All files on a share become hidden - anyone seen this? in Technical; We have been struggling with this on and off for the last week or so. The first time it was ...
16th February 2013, 11:26 PM #16
- Rep Power
We have been struggling with this on and off for the last week or so. The first time it was noticed on a relatively open network share, so we just assumed that a user had inadvertantly made the changes. After the second time we set about investigating it, and quickly found the files that the shortcuts were opening along with the "legitimate" target.
I think a good starting point is to do a full scan of whatever directory is storing the suspect infected files (not the shorcuts, but the "bonus" files these shortcuts are pointing to). They are usually marked as hidden and system files, so you will need to "show hidden" and "not hide system files" to see them. For us, there were half a dozen suspect files in these directories, all created at the same time. If scans of these folders come up clean (ours initially did), submit samples to your AV provider. For any Sophos users, thats here - www.sophos.com/support/samples. For us, this got the files in question classified and within 30 minutes we had IDE updates that could detect and remove it.
In addition to updating and scanning both servers and end devices, we started running a handy tool from Sophos called Sophos Source of Infection Tool, which gives names, timestamps and IP addresses of files being writted to specified directories. Running this on network fileshares helped us identify and clear infected hosts.
Last edited by mistersparky; 16th February 2013 at 11:28 PM.
IDG Tech News
17th February 2013, 09:31 AM #17
- Rep Power
We have had this virus. It is spread by memory sticks. First, you need to break the cycle of infection by disabling memory sticks otherwise it just keeps reinfecting every time someone plugs one in. The virus copies two files to the root of a share, if I remember correctly one was an autorun file and other had a random name with exe extension but looked like an msdos logo. You need to delete these from the drives, and depending on how you have set permissions up, it could be everywhere. You may see them pop straight back in there, this is the reinfection and you can look at the file properties to identify who created it and deal with those computers separately. To make your files visible again you need to open a cmd prompt to the folder which is hidden and enter the following command:
attrib -h -r -s i:\*.* /s /d
This is taken from this website but there is also a tool to help with this mentioned on the site. I didn't use that. You will need to change the drive letter and path of the command. It was a bit of experimenting but I got there in the end.
I hope this helps.
17th February 2013, 09:40 AM #18
Those affected might want to look in the netlogon share as we found that it affected there aswell as one of our other shares!
By stevenwba in forum AV and Multimedia Related
Last Post: 27th November 2010, 08:48 PM
Last Post: 26th November 2009, 08:29 PM
By mattx in forum General Chat
Last Post: 5th March 2008, 02:05 PM
By Midget in forum Scripts
Last Post: 23rd January 2007, 02:10 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)