Wednesday, May 8, 2019

Malware Removal 101: Worm (Files.bat)

I got this sample a few days ago from a customer's USB drive:

Virustotal


User's files and folders are replaced with shortcuts.  Files are hidden and moved to Files folder.

Manual Removal

Using System Explorer, terminate the running malware process.  If you have multiple running instances of the worm, select the parent process and End Process Tree instead.



Locate the files using CCleaner.  Select Start.lnk | Right click and click on File Directory Explore.


Delete all files including the parent folder.


 Using Explorer, delete at shortcut in your USB drive.


Unhiding the files.  You can use Attrib or Explorer.

  • Attrib
Launch CMD and type the following:

CD drive:
ATTRIB -S -H /S /D

Replace drive: with the corresponding drive assignment of your USB drive.  Ex.  F:

  • Explorer
At Folder Options enable Show hidden files, folders and drives

Navigate to Files folder

Move all files and folders to your root directory


Select all hidden folders and unhide using Properties



Delete Files folder



Back at System Explorer delete Start.lnk



Note:  If you have multiple instances of the malware running in memory, do not use TaskMan to terminate its process because there is a chance that your PC would reboot.  Use System Explorer instead.  Suspend all processes first then end them one by one.



POST:  Scan your system and USB drives with an updated Antivirus.





All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.

The Information is provided on an "as is" basis. WinXPert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, WinXPert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise. 
Copyright © 2019 WinXPert. All rights reserved. All other trademarks are the sole property of their respective owners.

To GOD be the glory!
Posted by at
Labels: , , , , , , , ,

1 comment:

  1. yeskahaberlandMarch 3, 2022 at 8:45 PM

    MGM Resorts, Inc. - Mississippi Casino - MJHub
    The company 전라남도 출장마사지 owns and operates 서산 출장샵 four casinos 청주 출장안마 in Mississippi, with the Isle 대전광역 출장마사지 of Capri Casino, Harrah's Cherokee Casino, and Harrah's 성남 출장마사지 Cherokee Casino

    ReplyDelete

Subscribe to: Post Comments (Atom)