Wednesday, December 2, 2009


Some malware become famous because of their behaviour and now I found a malware that hide all your word documents and replace it with their copy of .exe files with the same name and icon as each of the hidden word documents before. It become dangerous when you did not set for not "hiding extensions for known file types" in folder options. It is because you cannot distinguish the changes made by the malware and it become worse when you attach the file in email and spread the malware to other computers by email. So please be aware of this malware by view the properties of the file before executing it. The malware will appear as "Application" rather than as "word documents". I'll post more on the detail of the analysis of this malware later and for this post just how to recover your file back.

First, open your command prompt by start>run and type cmd and press enter. In the command prompt, type your drive letter with double colon. (eg. if your pendrive labeled as I: in your "My Computer", just typed I: and press enter)

Then type:

dir /A:H
This command will view all the hidden files in your drive including the files that been hidden by the malware (if working properly)

Then to remove the hidden attribute of the files just type:

attrib -S -H -R *.doc
This command will remove the System Files (-S), Hidden (-H) and Read Only (-R) attributes for all .doc files int the drive. Please take note that the hidden attribute cannot be remove using properties.

Thats all for now and dont hesititate to ask if having any problems.

No comments: