1

We have had following problem on our Windows2003 server for weeks now, every day the folder on our share are being made hidden and replaced by .exe files with the same names as the original folders. I can "Un-hide" them and hide or remove the .exe "folders" but it keeps coming back within some hours. Windows is fully updated, we do a "thorough" virus scan (F-Prot) every night with no detections, and SpyBot S&D (recommended by F-Prot support tech) only detects 3 "Tracking cookies" which does not sound likely to hide folders.

We do have presence of "W32/Conficker" in the network which is not a very nice one, so of course cleaning clients is a high priority, but I don't know which is the more likely - that it is hiding on the server or keep coming from a client attaching to the Share.

Any advice is most appreciated!

Otto Ardeby
  • 11
  • 1
  • 2
  • 1
    Since this is happening to the share on the server, and the server appears to be clean, and you have malware infecting one or more of your client machines, logic would seem to point to a client (or clients) as the source of the problem. Have you scanned/cleaned every client machine? – joeqwerty Sep 19 '12 at 13:43
  • Well, we sure try to but I can not guarantee it. We continue to check clients. I have the feeling it resides in the server though, it happens too often, I doubt any infected client is that active. Same 15 folders are being changed like this every time it happens. – Otto Ardeby Sep 20 '12 at 17:34
  • Can you set the group permissions on the 15 folders so that the network PCs can't change them? Or can you turn on logging for one of the folders to see who is changing it? (I'm not sure how to do it but it must be possible!) – peter_mcc Oct 22 '12 at 13:10

1 Answers1

2

you have a worm infection on your network server and or client pcs. this worm hides your original folders by changing its attributes. the first thing you need to do as scan your entire server , especially the shares. there have been reports that antiviral software don't pick up the infection. out of my own experience i have found that Microsoft security essentials does a good job of cleaning the infection. once cleaned you will have to delete all the exe folders on your drives, and then change all the attributes of the drives, to show the hidden folders. in a personal capacity this works best , on a company server i would suggest that you install a script to do the manual labour for you as this can be a time consuming project. the following script seems to do the trick , an edit needs to be done on the path and drive locations though.

  1. Install, update your antivirus application. I used Symantec and it found w32.sillyfdc
    1. Delete all detected files. The .exe folder just removed. Now you need to do is show the original folders
    2. Open File Manager
    3. Go to top menu, Tools > Folder Options. Select View tab
    4. Mark the “Show hidden files and folders.”
    5. Go to Start > Run, type cmd at the OPEN: box, and press OK. This will show the DOS command prompt
    6. Using My Computer, view the drive of hidden folders
    7. Go to Command Prompt and type this to unhide all folders and files: attrib e:*.* /d /s -h -r -s

Where “e” is the drive where hidden folders resides

That should do it.

a sample of the script follows below.

attrib -s -h -r autorun.inf del autorun.inf md autorun.inf attrib +s +h +r autorun.inf attrib -s -h -r RECYCLER rd /s RECYCLER copy /y NUL RECYCLER attrib +s +h +r RECYCLER cacls /P autorun.inf everyone:N cacls /P RECYCLER everyone:N

user189625
  • 21
  • 2
  • 1
    +1 for this malware diagnosis - had exactly this infection with one of our customers a couple of weeks ago. – Alan B Sep 12 '13 at 08:14