incaseformat worm

Others 2021-01-28 12:38:05 views: null

Virus description:

Many domestic regional industries have appeared and most of the infected hosts are financial management-related application systems. The infected host shows that all non-system partition files have been deleted. Since there is an empty file named incaseformat.log in the root directory of the deleted file partition, the virus is named incaseformat on the Internet.

 

 

 

Virus analysis:

The virus first appeared in 2009, and mainstream anti-virus software vendors all named this virus Worm.Win32.Autorun. From the name, it can be judged that the virus is a worm virus spreading through mobile media on the Windows platform. After the virus file runs, first copy itself to the Windows directory (C:\windows\tsay.exe), and the file icon is disguised as a folder.

At the same time modify the registry key value to realize self-starting, the registry key involved is: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\msfsa

The virus file will run after the host restarts, and start to traverse all the directories under the non-system partition and set it to hidden, and create a virus file with the same name.

In addition, the registry will be modified to prevent hidden files and hide extensions of known file types. The registry entries involved include:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Adva nced\Hidden

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Adva nced\HideFileExt

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hid den\SHOWALL\checkedvalue

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hid eFileExt\checkedvalue

 

 

Finally, delete all files in the non-system partition and create the incaseformat.log file.

 

Due to the incorrect assignment of the variable at a certain time when the virus was written, the code logic for deleting the file was triggered and executed today (January 13, 2021). Actually, the virus may have resided on the infected host for many years, but due to lack of host Anti-virus software or whitelist setting errors have not been found. Since the virus itself can only be transmitted through mobile media such as U disks and has no relevant network transmission characteristics, this time there has been a large-scale infection in many industries in China. It is speculated that it may be related to the supply chain of the relevant application system or the operation and maintenance of the manufacturer, such as : Software distribution, updates and upgrades, remote operation and maintenance, etc. The specific transmission channels need further traceability analysis.

 

Treatment suggestions:

1. Check the host. Check whether there is a tsay.exe file with a folder icon in the Windows directory of the host. If the file exists, delete it in time. Do not restart the host before deleting.

2. Data recovery Do not write to the partition of the deleted file to avoid overwriting the original data, and then use common data recovery software (such as: Finaldata, recuva, DiskGenius, etc.) to recover the deleted data.

3. Virus cleaning As the virus appeared earlier, mainstream anti-virus software can check and kill the virus, and users can also clean and repair the virus manually in the following ways: 1) End the virus-related process (ttry.exe) through the task manager

2) Delete the resident files tsay.exe and ttry.exe and registry-related startup items (RunOnce) in the Windows directory. 3) Restore the above-mentioned registry items that have been tampered with by the virus to hide files and extensions.

 

appendix:

Cleanup script: Create a new txt text, copy the code into it, and change the suffix to .bat, double-click to run it

@echo off

taskkill /f /im tsay.exe
taskkill /f /im ttry.exe

@reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v "Hidden" /t REG_DWORD /d 1 /f

@reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v "HideFileExt" /t REG_DWORD /d 0 /f

@reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\ /v "checkedvalue" /t REG_DWORD /d 1 /f

@reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt\ /v "checkedvalue" /t REG_DWORD /d 1 /f

@REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "msfsa" /f

del /f /q C:\windows\tsay.exe
del /f /q C:\windows\ttry.exe

@For /F "Skip=1" %%i in ('Wmic Logicaldisk Where "DriveType=3" Get Name') Do del /f /q %%i\incaseformat.log

 

Guess you like

Origin blog.csdn.net/Vdieoo/article/details/112600281
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com