W32/Sality Virus - Unhiding the Folders

I am really annoyed with this virus that infects my USB stick and a friend’s PC. It embeds itself to the .EXEcutable files of the infected system. I am referring to a worm / virus called W32/Sality Virus (as per detected by AVAST). I actually prevented it to create autorun.inf file on my external drive using the method I’ve been using to deal with this kind of virus or worms however it uses other methods to spread itself. What it do aside from embedding itself on .EXE files and installing itself to the AUTORUN system of the computer is it creates a mimic of all the folder of the current drive. That’s right, it creates a copy of the same name of each folder of the drive and hides all the folder by changing its attribute to Hidden+System (H+S) attribute. Making it invisible in the windows explorer despite you enable the Show Hidden Files and Folders option.

When you will view your files on your USB drives, it seems that nothing happens because all the folders are seems in the list but actually all of them are the virus already. It uses a folder icon to deceive possible victims to double-click it. It executes then the maliscious code on the system and start spreading through other drives it see then opens the folder so that you will not suspect that there’s something wrong with your system. W32/Sality Virus is really quite tricky because it combines all possible method of spreading it through the system.

What I hate about it is it can be fixed by AVAST and there’s no way you can do about it. Leaving me no choice but to delete the infected .EXE files. Another thing is that since you can’t see the folder in Windows Explorer because of what it did on the file attibutes, you need to manually reset the file attribute through the command prompt. The problem is that if you have a lot of folder to unhide, it will really very painful in your part. That’s why what I did was I made a VBS script (with the help of VBSEdit) that recursively change all the folders on the drive I like. The script that I made resets the attribute of all the folder to zero. This way it unhides all the folder that hides by the Sality virus. If you want to use the VBScript, you can download it here (just don’t forget to rename it to fixfolder.vbs) but I am recommending that you don’t run it on your system drive (C:\>) and use it at your own risk. It work on me but if something bad happens to any way not related or related to this script, well don’t blame me. :)

Here’s the code:

' Reset the file attributes of All the Folder in a specific Drive
' Change Z:\ to the drive letter where you want the change will happen.

cDrive = "Z:\"

Set FSO = CreateObject("Scripting.FileSystemObject")
ShowSubfolders FSO.GetFolder(cDrive)
WScript.Echo "Done with fix."

Sub ShowSubFolders(Folder)
str = ""
For Each Subfolder in Folder.SubFolders
str = str & " " & Subfolder.Path
subFolder.Attributes = 0
ShowSubFolders Subfolder
End Sub

sumber : http://www.bleuken.com/2009/02/23/w32sality-virus-unhiding-folders/