On January 13, 2021, a worm called incaseformat broke out in China.
The Hi-format data recovery team received a large number of user inquiries almost at the same time, followed up the actual situation of each user in depth, and found that: the other disk files in the computer except the C drive have been deleted, and some users’ disks have been deleted. Created a text document named "incaseformat".
After checking the fault environment by the Hi-format engineer team, after confirming that the cause of the problem is a virus in the computer, the virus file realizes the behavior of deleting files and directories through the DeleteFileA and RemoveDirectory codes.
After the virus starts, it copies itself to C:\WINDOWS\tsay.exe and creates a startup item to exit, waits for the restart to run, and deletes the line about 20s after the next startup.
It is found that the file is missing but the space occupied is still normal, do not restart, just use the anti-virus tool to completely kill the virus.
Virus Name: incaseformat
Virus Type: Worm
Virus: with the "Format Partition virus" is very similar
sphere of influence: many provinces and cities and more cases of infection found in industry, scale outbreak trend
Hazard rating: high, can lead to loss of user data
that the virus will All data on the hard disk is lost, and all executable programs such as the C drive and the desktop cannot be used. Remind all teachers and students to back up important data in time. Be careful not to store it on the local hard disk, but copy it to other media (mobile hard disk, network disk, CD-ROM, U disk, etc.). Perform patching and anti-virus treatment in time.
The first step: Incaseformat virus killing.
Here is an effective solution. Applicable situation: The file is gone. You can freely delete the incaseformat.txt file in the infected folder, and you will not be prompted that the file is being occupied.
First of all, never restart the computer.
Then, download a virus-checking anti-virus software (take USBcleaner as an example).
Download the USBcleaner software and unzip the software to a folder that is not infected by the incaseformat virus. If all the folders are infected, you can unzip the software to the desktop without installation.
After the installation is complete, our incaseformat virus killing project officially starts.
1. Search and delete all incaseformat.txt files in the computer.
Reason: Incaseformat virus generally only infects first-level files, and subfolders will not be infected.
2. Close all computer applications and restart the computer in safe mode.
Purpose: To prevent viruses from spreading to other disks.
3. Start the virus killing tool:
4. Click [Comprehensive Detection] to comprehensively detect the incaseformat virus in the computer.
After the detection is completed, the software prompts [whether to start the folder icon virus special killing tool], just confirm it.
Local virus on the computer
Removal method: Use the above-mentioned folder icon virus special tool to eliminate
After the software has completed antivirus, reopen the previously infected folder, you can view the original file, and the exe file claimed by the virus is deleted.
Supplement: After the scan is completed, some users will find that the computer has generated a hidden folder of SystemVolumeInformation. This is not a virus, but is actually a restore point information file automatically generated by the system, so don't worry.
5. After completing the above operations, restart the computer in normal mode, and finally use the anti-virus software on the computer to do the finishing work.
In addition, for some friends whose computers are affected by an infected U disk, you must pay attention to killing the virus on the U disk, you can use the above tools to operate.
Step 2: Restore data after incaseformat virus kills. Make
sure that there is no virus in the computer. If the file no longer exists, it is recommended to try to retrieve it through data recovery software (take Hi Format Data Recovery Master as an example).
1. Install the data recovery tool, scan the computer to detect the remaining data.
2. If the software cannot scan the data, you can make an appointment for an engineer to operate.
Causes and consequences
of incaseformat virus 1. Incaseformat virus: Incaseformat virus is also called folder icon virus. It has a process dedicated to generating incaseformat virus in a folder. The incaseformat.txt you see is actually a mirror file.
2. The nature of the incaseformat virus: the incaseformat virus is a combination of two types of viruses, Trojan horses and worms. Therefore, the characteristics of these two types of viruses are taken into account. Trojan horses can replicate. The folder where the Trojan horse is located is used as a named name, while copying and occupying the folder; Feature stone infects the exe file. When you click on the exe file, the startup Trojan spreads to other folders.
To sum up: the core mechanism of the incaseformat virus is to forcibly hide all your actual files, and then simulate the exact same fake exe file to replace the original location. Cause you to think that this exe is the original file.
Let me show you the following:
1. Open the File Explorer, click on the rightmost column of the View-tab, and check the file extension in the displayed/hidden section. (After checking, you can view the file extension)
2. Return to the folder to view the file. If you have been infected with a virus, the suffix file is exe. As shown below.
Finally, I need to remind everyone:
First: the incaseformat virus may have a second outbreak.
According to the follow-up of the Hi Format team, it was found that the deletion date of the incaseformat virus was set on January 13, and the next deletion time was January 23. If the virus in your computer is not completely checked and killed, it is very likely that you will face the danger of being deleted again.
Second: About U Disk Virus
If there is a virus in the U disk, pay attention to using the antivirus tool to kill the virus on the U disk.
To prevent viruses, do not double-click to open the USB flash drive. It will be safer to right-click to open the USB flash drive.
Third: About data recovery
If you find that your files are lost or deleted by mistake during the operation, please do not do any operations and seek professional help immediately to prevent the files from being overwritten due to improper operations (the files cannot be recovered if they are overwritten).
Finally, it is recommended that every user use virus checking and killing software for in-depth checking and killing in time, and also remember to forward it to friends around you to check for viruses in time to avoid the risk of data loss!