- Author|Xiao Leng
- Source|Bitnet
- Release time|2021-01-21
On the evening of January 13, security companies such as 360 and Sangfor issued an emergency warning, saying that a large-scale outbreak of the worm virus incaseformat has been detected, and disk data deletion incidents have occurred in many companies.
The worm is mainly spread through U disk. After infecting the user's machine, it will self-replicate and infect other computers through the U disk. After the virus is started, it will be automatically copied to C: WINDOWStsay.exe, and the user data will be deleted within 20s after the computer is restarted.
The security monitoring agency predicts that the incaseformat worm may break out again on January 23. It is recommended that users take precautions to prevent data loss in advance.
Worm virus broke out on a large scale, user files will be deleted within 20s after booting
The analysis by the security monitoring agency found that the worm used the DeleteFileA and RemoveDirectory codes to delete files in the computer. The virus can also be automatically copied to C: WINDOWStsay.exe and exit after creating a startup item. After the computer restarts, it will delete user files within 20 seconds of startup.
It is understood that this is not the first time the worm has broken out, and similar incidents occurred as early as 2014.
At present, users in different industries in many regions of the country have been affected by the worm, but for the time being, it has not been discovered that the virus has a specific scope of transmission.
The virus only runs under the Windows directory
According to the security research team of Sangfor, the worm will only trigger file deletion when it is executed in the Windows directory. When executed in a non-Windows directory, the virus will be automatically copied to the Windows directory of the system disk, create a RunOnce registry value to set the boot to self-start, and disguise itself as a normal file.
When the worm is executed in the Windows directory, it will self-replicate in the same directory again, and modify the following registry keys to adjust hidden files:
After traversing and deleting all the files outside the system disk, the worm will leave an empty file named incaseformat.log in the root directory:
Experts issue security recommendations:
After the large-scale outbreak of the incaseformat worm, many security agencies have urgently released virus scanning versions to support the detection of computer viruses.
Security experts suggest that if there is a virus infection in your computer, you should immediately disconnect the network and use anti-virus software to perform a comprehensive check and kill. You can try to use data recovery software for data recovery.
Safety advice:
- Do not open files from unknown sources;
- Do not download and install software from unofficial websites;
- Do not select "Hide extensions of known files";
- Prohibit the automatic operation of U disk;
- Use strong passwords and change them regularly;
- Pay attention to backing up important files.
