3

In windows there is a malware that mounts a false executable (522k) and renames the real executables (.exe) in g * .exe and changes the attributes to hidden and read-only

Example:

folder 1
  Bar.exe # fake
  gBar.exe # real (hidden and only Read)

folder2
  Foo.exe # fake
  gFoo.exe # real (hidden and only Read)

I would like to know if there is command for Windows (to run with privileges in safe mode), that to do a recursive search of executables (in the whole hard drive) and in case there are coincidences (* .exe and g * .exe in the same directory or subdirectory) that changes the attributes of the .exe real, delete the fake or make the replacement (from g * .exe to * .exe)

Update:

  1. I have removed the linux command to avoid confusion

  2. This is what I have done so far (it's not a big deal):

    for /r "c:\" %%x in (g*.exe) do ren "%%x" "c:\*.exe"
attrib -h -s -r +a g*.exe

Update:

The response indicated as correct may eventually compromise system files, so, i will solve the problem from Linux (with my initial proposal) and i abandon the question for Windows

Thank you all for your contribution (special thanks to Pimp Juice IT)

acgbox
  • 741
  • 2
  • 13
  • 31
  • [This](https://superuser.com/questions/100360/how-can-i-remove-malicious-spyware-malware-adware-viruses-trojans-or-rootkit) is not an answer but a good read for this situation. – Sandeep Jun 12 '18 at 14:48
  • Thank you. It is good reading. But this malware only does what I describe in my question. Therefore, executing the command is enough. It is not necessary to use an antivirus to solve the problem (a good sysadmins must learn to solve their problems and not always solve them with third-party tools) – acgbox Jun 12 '18 at 15:04
  • In the past, messing with attributes from one os, using another os, have not worked well for me. I think the best you can hope for, is to boot into windows safe mode and run a simple batch. – dmb Jun 12 '18 at 15:04
  • 1
    That is precisely my question. Run a .bat with privileges (in safe mode), but I do not know what the command would be for the .bat – acgbox Jun 12 '18 at 15:08
  • The question is clear. "change attributes and rename recursively in windows with .bat". That is, Windows OS – acgbox Jun 12 '18 at 19:10
  • Please note that https://superuser.com is not a free script/code writing service. If you tell us what you have tried so far (include the scripts/code you are already using) and where you are stuck then we can try to help with specific problems. You should also read [How do I ask a good question?](https://superuser.com/help/how-to-ask). – DavidPostill Jun 12 '18 at 20:33
  • I already explained the description what I'm trying to do. A recursive search of executables, to replace a fake file (.exe) with the real one. I would like to know what part of my question does not understand to be able to explain it better. – acgbox Jun 12 '18 at 20:42
  • You identified and explained the problem. The point is the question shows no research effort towards writing a Windows script or whatever. It's not "help me with my script" because there is no script; it's rather "write the *entire* script for me". Do you know any Windows commands that may be helpful? Did you try to make them work together? What was the result? – Kamil Maciorowski Jun 12 '18 at 21:01
  • @KamilMaciorowski okay. Now I understand your point. I must add what I have done, so that it can be corrected. I already add this to the question. Thank you – acgbox Jun 12 '18 at 21:32

1 Answers1

2

You can run two separate for /f loops with with the dir command using the /a:h in one to iterate the hidden files and a:/r in the other to iterate the read-only files.

You'd use the attrib command with the -h parameter to remove the hidden attributes of the files and with the -r parameter to remove the read-only attributes of the files.

Note: You can use "g*.exe" as the wildcard of all exe files starting with the letter "g". Also be sure to run this from the directory where you want to start your recursive find of the applicable files.

Remove Hidden Attributes

FOR /F "TOKENS=*" %a IN ('dir /s /b /a:h "*.exe"') do attrib -h "%~a"

Remove Read-Only Attributes

FOR /F "TOKENS=*" %a IN ('dir /s /b /a:r "*.exe"') do attrib -r "%~a"

Remove Fake File and Rename Real File Back

Per your clarification to find the exe files that are prefixed with the g character at the beginning of the file name, use the below batch script after you remove the hidden and read-only attributes. This will recursively find the g prefixed files, set a variable with the g parsed from those file names, remove the fake file, and then rename the g prefixed file back to the original name.

@ECHO ON
setlocal enabledelayedexpansion
set src=C:\
set mvFldr=C:\Moved
if not exist "%mvFldr%" MD "%mvFldr%"
FOR /F "TOKENS=*" %%a IN ('dir /s /b /a-d "%src%\g*.txt"') do (
    set fakename=%%~NXa
    set realname=!fakename:~1!
    if /i not [%%~Xa]==[.exe] GOTO :EOF
    if exist "%%~DPa!realname!" if exist "%%~DPa!fakename!" move "%%~DPa!realname!" "%mvFldr%"
    ::if exist "%%~DPa!realname!" if exist "%%~DPa!fakename!" del /q /f "%%~DPa!realname!"
    ren "%%~DPa!fakename!" "!realname!"
    )
EXIT

Further Resources

karel
  • 13,390
  • 26
  • 45
  • 52
Vomit IT - Chunky Mess Style
  • 40,038
  • 27
  • 84
  • 117
  • the search should start in "g" and end in ".exe" (not in .exe*) to avoid problems with app like a gpresult.exe.mui vs gpupdate.exe.mui etc. In linux is similar to "^g*.exe$" ... But in Windows i don't know – acgbox Jun 13 '18 at 00:26
  • It's the same script (on Windows 7). I only changed the variables: set src =%HOMEDRIVE% , set mvFldr =%HOMEDRIVE% , "%src%\g*.exe". I think it's better to use "del /f /q" instead of "move" to delete fake "*.exe" . For, if there is a match (Foo.exe and gFoo.exe) then delete Foo.exe first, and then rename gFoo.exe to Foo.exe, and change the attributes (attrib -h -s Foo.exe) – acgbox Jun 13 '18 at 12:13
  • 1
    consider: dir /s /b g*.exe | findstr .exe$ (to prevent coincidences with: *.exe.mui and others extensions) – acgbox Jun 13 '18 at 12:27
  • @user4839775 Good idea, if you get a chance, a quick solution may be to use `FOR /F "TOKENS=*" %%a IN ('dir /s /b /a-d "g*.txt" ^| findstr /R \.exe$') do` for that portion of the line in the script. If you get a chance, give it a test run and see if that'll suffice. I have to step away for a few now but will check in periodically and still test in a few if needed as well. – Vomit IT - Chunky Mess Style Jun 13 '18 at 12:42
  • Not work. See https://pastebin.com/FD3DFx2Z (the executables that the script is finding are * .exe.mui) – acgbox Jun 13 '18 at 13:17
  • The problem is not the command findstr or dir. I need you to explain what it means the variables: set fakename=%%~NXa and set realname=!fakename:~1! See https://pastebin.com/hjdpU8gY – acgbox Jun 13 '18 at 14:20
  • Why do not restore the attributes before renaming the executable?... You use terms outside of my understanding (%%~NXa , !fakename:~1! , "%%~DPa!realname!" , "%%~DPa!fakename!" etc) – acgbox Jun 13 '18 at 14:37
  • @user4839775 Please see this and tell me if this helps any.... https://pastebin.com/AqMMrGR0 ... Also, you will want to run the loop in the **Remove Hidden Attributes** section first to unhide the hidden files with that dir command and then the loop in the **Remove Read-Only Attributes** second in case any hidden files were also marked as read-only. The dir command in the batch script loop at the bottom will not see hidden files so that's why I left them separate. There may be a way to tie it all together if that's what you are looking for—let me know if this helps clarify any. – Vomit IT - Chunky Mess Style Jun 13 '18 at 14:43
  • I appreciate your effort, but definitely the script does not do what I want it to do, and I can not fix it because I do not understand it. Then, the problem remains without solution, but I will not change the qualification. Thanks anyway – acgbox Jun 13 '18 at 15:04
  • 1
    Yes. Your script is good (and that's why it was selected) although I do not understand very well what it does. And your script does not verify if the pair exists (false and original) in the same path (e.g: /path/gBar.exe and /path/Bar.exe), before executing the action. This affects system programs that start with "g" and end with ".exe" (gpresult.exe, gpscript.exe, gpupdate.exe, gpupdate.exe, etc). So, I abandoned the question and decided to do it for Linux that is more secure and does not affect system programs. Read the question again (edit) – acgbox Jun 15 '18 at 17:22