[ConanTheLibrarian]

There is a virus ITW that hides most of the files/folders on the system drive (c:) by setting the hidden attribute.

I have seen this virus a few times, but I am having the hardest time trying to identify what virus causes this. I do not have any samples.

Has anyone seen this infection yet and provide some insight as to the name?

[fatdcuk]

LOL not a virus.

Trojan.FakeAlert fallout

"Windows blah-blah" < insert tech sounding words for the flavour of that day ;)

[Meriadoc]

Windows Recovery hides your docs and all programs - interestingly it rendered vm useless, unable to revert or make a snapshot I had to end the vmware process.

[kiskav]

Thanks for the sample Meridoc.. Not sure why Fatduck sample Crashed my VM, but Your's sample worked like a Charm. :)

Does any aware of , On what basis this Rogueware chooses the folder to enable the Hide attribute ?. Any easy way to revert the changes done by this Rogueware alone & not disturbing the legitimate files hided by Microsoft for security Reasons ?

Regards,
Kiskav

[EP_X0FF]

Does any aware of , On what basis this Rogueware chooses the folder to enable the Hide attribute ?.

There are some strings from unpacked sample (main exe container for another exe, crypted and packed with FSG).

*.* "" attrib -h attrib +h
Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
NoChangingWallPaper
ShowSuperHiddenHidden
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced

that's all "techniques" it had on board. It affects seems to be only desktop and user folders such as My Documents, Main Menu, SendTo folder etc.

[Xylitol]

Fatduck sample Crashed my VM

Fakes defragers drop generaly a tdl modification, so if you mean by 'crash' a bsod it's probably something similar.

[PX5]

I was also curious how the selection of files and folders was done, I have had files come up missing from folders on root as well as most anything in documents and settings.

Im sure there is some sorta pattern they use but havent a clue what it may be. :(

[kiskav]

Thanks EP & Xylitol :)

Note: people can Use the below command to fix the same.
Attrib -h \\*.* /D /S

Regards,
Kiskav

[wealllbe20]

*Update*
"Not A Virus" but malware also has potential to remove all user start menu shortcuts (*.lnk)

As well as changing many registry entries

I fixed 90% by running dial-a-fix
The only one it did not fix was:

Hive: HKEY_CURRENT_USER
Key: Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Name: HideIcons
Type: REG_DWORD
Change Value Back To: 0

I was so ticked off I looked for a undelete utility and it found zero .lnk files

I did a search-> *.lnk and I found them all
Located here
%userprofile%\Local Settings\Temp\smtmp

It created 3 folders
Folders 1 2 and 4 here is what they mean:

1 -- All users start menu
2 -- current user quicklaunch
4 -- all users desktop

[ConanTheLibrarian]

You can use Recuva as well if you need to undelete them in case %temp% is cleared.