w32sality-virusI am really annoyed with this virus that infects my USB stick and a friend’s PC. It embeds itself to the .EXEcutable files of the infected system. I am referring to a worm / virus called W32/Sality Virus (as per detected by AVAST). I actually prevented it to create autorun.inf file on my external drive using the method I’ve been using to deal with this kind of virus or worms however it uses other methods to spread itself. What it do aside from embedding itself on .EXE files and installing itself to the AUTORUN system of the computer is it creates a mimic of all the folder of the current drive. That’s right, it creates a copy of the same name of each folder of the drive and hides all the folder by changing its attribute to Hidden+System (H+S) attribute. Making it invisible in the windows explorer despite you enable the Show Hidden Files and Folders option.

When you will view your files on your USB drives, it seems that nothing happens because all the folders are seems in the list but actually all of them are the virus already. It uses a folder icon to deceive possible victims to double-click it. It executes then the maliscious code on the system and start spreading through other drives it see then opens the folder so that you will not suspect that there’s something wrong with your system. W32/Sality Virus is really quite tricky because it combines all possible method of spreading it through the system.

What I hate about it is it can be fixed by AVAST and there’s no way you can do about it. Leaving me no choice but to delete the infected .EXE files. Another thing is that since you can’t see the folder in Windows Explorer because of what it did on the file attibutes, you need to manually reset the file attribute through the command prompt. The problem is that if you have a lot of folder to unhide, it will really very painful in your part. That’s why what I did was I made a VBS script (with the help of VBSEdit) that recursively change all the folders on the drive I like. The script that I made resets the attribute of all the folder to zero. This way it unhides all the folder that hides by the Sality virus. If you want to use the VBScript, you can download it here (just don’t forget to rename it to fixfolder.vbs) but I am recommending that you don’t run it on your system drive (C:\>)  and use it at your own risk. It work on me but if something bad happens to any way not related or related to this script, well don’t blame me. 🙂

Here’s the code:

' Reset the file attributes of All the Folder in a specific Drive
' Change Z:\ to the drive letter where you want the change will happen.

cDrive = "Z:\"

Set FSO = CreateObject("Scripting.FileSystemObject")
ShowSubfolders FSO.GetFolder(cDrive)
WScript.Echo "Done with fix."

Sub ShowSubFolders(Folder)
    str = ""
    For Each Subfolder in Folder.SubFolders
        str = str & " " & Subfolder.Path
        subFolder.Attributes = 0
        ShowSubFolders Subfolder
    Next
End Sub
0 0 votes
Article Rating
Subscribe
Notify of
guest
 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

18 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
spidado
11 years ago

Bro..Good job well done…I’m eh happy man!!!

Orion
Orion
11 years ago

Good job! The only problem with this script are the two folders “Recycled” and ‘System Volume Information”. Script will halt when it reaches those two points. I tried to use an IF / THEN to skip those two folders but I couldnt get it right. Can you help with any pointers?

aiyan
aiyan
12 years ago

why it does not work on me’?

octav nicu
12 years ago

I stumbled upon problems like this, when some damn virus cleared out the option to see hidden on system files.

The easiest solution is to use Total Commander, set its configs to show hidden files and then you can see the damn autorun.inf and you can delete it.

harvey
harvey
12 years ago

this thing happened exactly just 2 days ago… the files I only see are those in the root directory. good thing I didn’t format my HD yet.

downloaded a zip file from yahoo from a friend’s pc. after unzipping the file my NOD32 detected it but it already disabled it. then I observed each folder I open there’s a new folder named “Classified” created, then I knew I got a virus. I scanned my HD from another pc, then all the folders are lost, or so I thought. what this virus did was created an EXE file of all the folder names and hides all the files. only the files in the root directory can be seen. You can find the files only if you typed the exact folder name in the address bar. Or if you have a WinRar file, there you can also see the hidden folders and files.

now my problem (as also stated above) how to unhide these files not one by one. im not a programmer, and dont know how to use the VB code. from a noob level, please advise me a step by step to unhide my files.. thanks a lot.

Thanks
Thanks
12 years ago

Thanks man, greatly appreciated.. I thought I permanently lost my files. Got them all back thanks to this baby!

Aamir
Aamir
13 years ago

Thanks a lot Bro !!!!!!!
this really works for me.
i was just searching for the solution from long time.can’t explain how thankful i am

again thanks a lot

Yong
Yong
13 years ago

Just FYI you can bulk attribute the files and folders so you can use:

attrib * -h -s /H /S

that worked no probs for me.

nod32
13 years ago

ESET nod32 antivirus help me to clean my PC

pfolio
pfolio
13 years ago

I am also experiencing the same problem. What really annoys me is my external hard drive was infected by win32 sality virus after I plugged it to some computer now all my downloads (games and program’s exe) were infected by a win32 sality virus, I am not loosing hope to finding a way to repair/cure all my infected exes.

About your problem I think that sality virus is not alone giving you pain I think newfolder.exe is doing the folder replication.