W32/Sality Virus – Unhiding the Folders

w32sality-virusI am really annoyed with this virus that infects my USB stick and a friend’s PC. It embeds itself to the .EXEcutable files of the infected system. I am referring to a worm / virus called W32/Sality Virus (as per detected by AVAST). I actually prevented it to create autorun.inf file on my external drive using the method I’ve been using to deal with this kind of virus or worms however it uses other methods to spread itself. What it do aside from embedding itself on .EXE files and installing itself to the AUTORUN system of the computer is it creates a mimic of all the folder of the current drive. That’s right, it creates a copy of the same name of each folder of the drive and hides all the folder by changing its attribute to Hidden+System (H+S) attribute. Making it invisible in the windows explorer despite you enable the Show Hidden Files and Folders option.

When you will view your files on your USB drives, it seems that nothing happens because all the folders are seems in the list but actually all of them are the virus already. It uses a folder icon to deceive possible victims to double-click it. It executes then the maliscious code on the system and start spreading through other drives it see then opens the folder so that you will not suspect that there’s something wrong with your system. W32/Sality Virus is really quite tricky because it combines all possible method of spreading it through the system.

What I hate about it is it can be fixed by AVAST and there’s no way you can do about it. Leaving me no choice but to delete the infected .EXE files. Another thing is that since you can’t see the folder in Windows Explorer because of what it did on the file attibutes, you need to manually reset the file attribute through the command prompt. The problem is that if you have a lot of folder to unhide, it will really very painful in your part. That’s why what I did was I made a VBS script (with the help of VBSEdit) that recursively change all the folders on the drive I like. The script that I made resets the attribute of all the folder to zero. This way it unhides all the folder that hides by the Sality virus. If you want to use the VBScript, you can download it here (just don’t forget to rename it to fixfolder.vbs) but I am recommending that you don’t run it on your system drive (C:>)  and use it at your own risk. It work on me but if something bad happens to any way not related or related to this script, well don’t blame me. :)

Here’s the code:

' Reset the file attributes of All the Folder in a specific Drive
' Change Z: to the drive letter where you want the change will happen.

cDrive = "Z:"

Set FSO = CreateObject("Scripting.FileSystemObject")
ShowSubfolders FSO.GetFolder(cDrive)
WScript.Echo "Done with fix."

Sub ShowSubFolders(Folder)
    str = ""
    For Each Subfolder in Folder.SubFolders
        str = str & " " & Subfolder.Path
        subFolder.Attributes = 0
        ShowSubFolders Subfolder
    Next
End Sub
You can leave a response, or trackback from your own site.
  • http://non spidado

    Bro..Good job well done…I’m eh happy man!!!

  • Orion

    Good job! The only problem with this script are the two folders “Recycled” and ‘System Volume Information”. Script will halt when it reaches those two points. I tried to use an IF / THEN to skip those two folders but I couldnt get it right. Can you help with any pointers?

  • aiyan

    why it does not work on me’?

  • http://designromania.com octav nicu

    I stumbled upon problems like this, when some damn virus cleared out the option to see hidden on system files.

    The easiest solution is to use Total Commander, set its configs to show hidden files and then you can see the damn autorun.inf and you can delete it.

  • harvey

    this thing happened exactly just 2 days ago… the files I only see are those in the root directory. good thing I didn’t format my HD yet.

    downloaded a zip file from yahoo from a friend’s pc. after unzipping the file my NOD32 detected it but it already disabled it. then I observed each folder I open there’s a new folder named “Classified” created, then I knew I got a virus. I scanned my HD from another pc, then all the folders are lost, or so I thought. what this virus did was created an EXE file of all the folder names and hides all the files. only the files in the root directory can be seen. You can find the files only if you typed the exact folder name in the address bar. Or if you have a WinRar file, there you can also see the hidden folders and files.

    now my problem (as also stated above) how to unhide these files not one by one. im not a programmer, and dont know how to use the VB code. from a noob level, please advise me a step by step to unhide my files.. thanks a lot.

  • Thanks

    Thanks man, greatly appreciated.. I thought I permanently lost my files. Got them all back thanks to this baby!

  • Aamir

    Thanks a lot Bro !!!!!!!
    this really works for me.
    i was just searching for the solution from long time.can’t explain how thankful i am

    again thanks a lot

  • Yong

    Just FYI you can bulk attribute the files and folders so you can use:

    attrib * -h -s /H /S

    that worked no probs for me.

    • http://www.bleuken.com bleuken

      I tried this one but i doesn’t work for folders with hidden+system+read-only attributes. This is the reason why I made a script instead to do the job for me.

  • http://dloading.com/download_10776.htm nod32

    ESET nod32 antivirus help me to clean my PC

  • pfolio

    I am also experiencing the same problem. What really annoys me is my external hard drive was infected by win32 sality virus after I plugged it to some computer now all my downloads (games and program’s exe) were infected by a win32 sality virus, I am not loosing hope to finding a way to repair/cure all my infected exes.

    About your problem I think that sality virus is not alone giving you pain I think newfolder.exe is doing the folder replication.

    • http://www.bleuken.com bleuken

      Yeah, your right. It seems that two or more viruses with Sality makes it more tricky and difficult to remove.

  • http://www.wickedsunny.com Wickedsunny

    my laptop was also infected with this worm.

    Its real name is win32.hhlw.shadow.based

    Sality is one of the viruses it contains.

    It can easily be healed with Dr web Cureit Antivirus.

    Avast detects it but unable to repair it.

    Boot in safe mode and complete scan, it will cure all the exe files.

    drweb.com/

  • hello

    i recommend nod32 in thoroughly cleaning Sality infections..
    and hope this will not sound offensive but your code will be useless
    if the worm which is the cause of hiding all that folders is still running.. :)

    • http://www.bleuken.com bleuken

      no it is not offensive. Thanks for the additional info. actually when I run the said script, the infection was already eliminated. I’m not using Nod32 for no reason. nasanay na kasi ko sa Avast. :)

  • [PH-h4x0r]BatDuProgrammer

    mali info mo bro :)) sality virus is only file infector of .exe and .scr, di gagawa ng fake folder at gumagawa ng autorun.inf para mag-start sya gamit ang usb :D, i think ung sinasabi mo isang worm na infected ng sality ;)

    • http://www.bleuken.com bleuken

      actually I based my info here on my experience on the said virus. I admit that there’s other virus on the system aside from Sality but when I scan it using AVAST. That’s the signature found by avast. Well, thank you for that correction. I will verify this. Thanks!

  • hello

    i just want to let you know that Sality is just a file infector. it doesnt do anything else like what you’ve said. What might have happened to your case was this: Some worms whose behaviour involves hiding your folders and creating of a mimic copy of that which is actually an executable, might have been infected too by Sality. So since sality was an exe file infector. And the worm is an exe file.. no doubt Sality has infected that those becoming a Worm that has a Virus inside…