How can a share be hidden?

TeraMedia · Sep 4, 2013

I just spent 3 hours last night digging through my parents' computer to eradicate an adware/malware infection. In the process of trying to update Google Earth, they ended up with DealPly, PC Backup, search.babylon.com.xxxxxx (DO NOT GO THERE!), delta-search, and a bunch of other garbage. I got rid of most of it and ran a virus scan, but the one thing that's bothering me is that DealPly had created a share inside the ProgramData\AppData folder (presumably to allow for uploading of botware), but I couldn't see the existence of the share in Computer Management or by issuing a Net Share command in cmd.exe (though I may have forgotten to elevate when I did that, now that I think about it).

So my question is, how can someone hide the existence of a share? I am concerned that there might be other hidden shares on their computer that I didn't find and delete.

Windows 7 SP1 with all security updates as-of 9/3/2013.

ex_bubblehead · Sep 4, 2013

A share can be hidden by simply adding a "$" as the last character of the sharename.

chugot9218 · Sep 4, 2013

I was fairly sure it was a $ at the end, however, I suppose it could work both ways.

ex_bubblehead · Sep 4, 2013

chugot9218 :

Yup, last character. I got interrupted in the middle of that reply and didn't notice the mistake..... It's been corrected.

TeraMedia · Sep 4, 2013

Unless I am mistaken, the $ at the end is how the admin shares typically work, such as C$, ADMIN$, etc.

The catch is that those all show up in Computer Management --> Shared Folders, while the one for DealPly did not. Those admin shares also showed up under CMD.exe --> net share. So the share in question wasn't merely hidden by having a $ in the name. It literally doesn't show up anywhere except when you try to delete the folder. Then it tells you that it is shared - but not as what.

Any other ideas?

ex_bubblehead · Sep 4, 2013

The "$" is how ALL shares are hidden in Windows. Your trojan is doing something other than sharing. Did you remove and slave the drive (using a USB enclosure) to a known, clean, machine and try removing the directory?

TeraMedia · Sep 4, 2013

ex_bubblehead :

I was able to remove the offending directory without doing what you suggest. However, I do intend to slave the drive and do a full AV scan from a separate O/S at my earliest opportunity, just in case there was a virus present capable of hiding things from the O/S.

What I'm worried about is something akin to the SONY/BMG CD rootkit that hid any process, file or folder with "$SYS" as the beginning of its name. I saw that there was some feature when setting up shares in Win 7 to specify access privs on the share - separately from the folder privs AND the share privs - as if the share object itself had access control privs. I might take a look to see whether that can be used to hide the existence of a share from some local users if I have time.

ex_bubblehead · Sep 4, 2013

Make sure you scan the drive with no less than 3 different AV engines, and 2 different malware engines. More would be better. Since no single scanner is 100% efficient this will give the best chance of finding and removing everything nasty.

Search

How can a share be hidden?

TeraMedia

Distinguished

ex_bubblehead

ex_bubblehead

Titan

chugot9218

Honorable

ex_bubblehead

Titan

TeraMedia

Distinguished

ex_bubblehead

Titan

TeraMedia

Distinguished

ex_bubblehead

Titan

TRENDING THREADS

Latest posts

Moderators online

Share this page