3

In windows there is a malware that mounts a false executable (522k) and renames the real executables (.exe) in g * .exe and changes the attributes to hidden and read-only

Example:

folder 1
  Bar.exe # fake
  gBar.exe # real (hidden and only Read)

folder2
  Foo.exe # fake
  gFoo.exe # real (hidden and only Read)

I would like to know if there is command for Windows (to run with privileges in safe mode), that to do a recursive search of executables (in the whole hard drive) and in case there are coincidences (* .exe and g * .exe in the same directory or subdirectory) that changes the attributes of the .exe real, delete the fake or make the replacement (from g * .exe to * .exe)

Update:

  1. I have removed the linux command to avoid confusion

  2. This is what I have done so far (it's not a big deal):

    for /r "c:\" %%x in (g*.exe) do ren "%%x" "c:\*.exe"
attrib -h -s -r +a g*.exe

Update:

The response indicated as correct may eventually compromise system files, so, i will solve the problem from Linux (with my initial proposal) and i abandon the question for Windows

Thank you all for your contribution (special thanks to Pimp Juice IT)

Improve this question
9
  • This is not an answer but a good read for this situation.
    – Sandeep
    Commented Jun 12, 2018 at 14:48
  • Thank you. It is good reading. But this malware only does what I describe in my question. Therefore, executing the command is enough. It is not necessary to use an antivirus to solve the problem (a good sysadmins must learn to solve their problems and not always solve them with third-party tools)
    – acgbox
    Commented Jun 12, 2018 at 15:04
  • In the past, messing with attributes from one os, using another os, have not worked well for me. I think the best you can hope for, is to boot into windows safe mode and run a simple batch.
    – dmb
    Commented Jun 12, 2018 at 15:04
  • 1
    That is precisely my question. Run a .bat with privileges (in safe mode), but I do not know what the command would be for the .bat
    – acgbox
    Commented Jun 12, 2018 at 15:08
  • The question is clear. "change attributes and rename recursively in windows with .bat". That is, Windows OS
    – acgbox
    Commented Jun 12, 2018 at 19:10

1 Answer 1

Reset to default
2

You can run two separate for /f loops with with the dir command using the /a:h in one to iterate the hidden files and a:/r in the other to iterate the read-only files.

You'd use the attrib command with the -h parameter to remove the hidden attributes of the files and with the -r parameter to remove the read-only attributes of the files.

Note: You can use "g*.exe" as the wildcard of all exe files starting with the letter "g". Also be sure to run this from the directory where you want to start your recursive find of the applicable files.

Remove Hidden Attributes

FOR /F "TOKENS=*" %a IN ('dir /s /b /a:h "*.exe"') do attrib -h "%~a"

Remove Read-Only Attributes

FOR /F "TOKENS=*" %a IN ('dir /s /b /a:r "*.exe"') do attrib -r "%~a"

Remove Fake File and Rename Real File Back

Per your clarification to find the exe files that are prefixed with the g character at the beginning of the file name, use the below batch script after you remove the hidden and read-only attributes. This will recursively find the g prefixed files, set a variable with the g parsed from those file names, remove the fake file, and then rename the g prefixed file back to the original name.

@ECHO ON
setlocal enabledelayedexpansion
set src=C:\
set mvFldr=C:\Moved
if not exist "%mvFldr%" MD "%mvFldr%"
FOR /F "TOKENS=*" %%a IN ('dir /s /b /a-d "%src%\g*.txt"') do (
    set fakename=%%~NXa
    set realname=!fakename:~1!
    if /i not [%%~Xa]==[.exe] GOTO :EOF
    if exist "%%~DPa!realname!" if exist "%%~DPa!fakename!" move "%%~DPa!realname!" "%mvFldr%"
    ::if exist "%%~DPa!realname!" if exist "%%~DPa!fakename!" del /q /f "%%~DPa!realname!"
    ren "%%~DPa!fakename!" "!realname!"
    )
EXIT

Further Resources

Improve this answer
10
  • the search should start in "g" and end in ".exe" (not in .exe*) to avoid problems with app like a gpresult.exe.mui vs gpupdate.exe.mui etc. In linux is similar to "^g*.exe$" ... But in Windows i don't know
    – acgbox
    Commented Jun 13, 2018 at 0:26
  • It's the same script (on Windows 7). I only changed the variables: set src =%HOMEDRIVE% , set mvFldr =%HOMEDRIVE% , "%src%\g*.exe". I think it's better to use "del /f /q" instead of "move" to delete fake "*.exe" . For, if there is a match (Foo.exe and gFoo.exe) then delete Foo.exe first, and then rename gFoo.exe to Foo.exe, and change the attributes (attrib -h -s Foo.exe)
    – acgbox
    Commented Jun 13, 2018 at 12:13
  • 1
    consider: dir /s /b g*.exe | findstr .exe$ (to prevent coincidences with: *.exe.mui and others extensions)
    – acgbox
    Commented Jun 13, 2018 at 12:27
  • @user4839775 Good idea, if you get a chance, a quick solution may be to use FOR /F "TOKENS=*" %%a IN ('dir /s /b /a-d "g*.txt" ^| findstr /R \.exe$') do for that portion of the line in the script. If you get a chance, give it a test run and see if that'll suffice. I have to step away for a few now but will check in periodically and still test in a few if needed as well.
    – Vomit IT - Chunky Mess Style
    Commented Jun 13, 2018 at 12:42
  • 1
    Yes. Your script is good (and that's why it was selected) although I do not understand very well what it does. And your script does not verify if the pair exists (false and original) in the same path (e.g: /path/gBar.exe and /path/Bar.exe), before executing the action. This affects system programs that start with "g" and end with ".exe" (gpresult.exe, gpscript.exe, gpupdate.exe, gpupdate.exe, etc). So, I abandoned the question and decided to do it for Linux that is more secure and does not affect system programs. Read the question again (edit)
    – acgbox
    Commented Jun 15, 2018 at 17:22

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .