Dear all,
Recently, a new type of network virus called incaseformat is spreading in China. Infection cases have been found in many provinces, cities and industries, and there is a trend of large-scale outbreaks. After the incaseformat virus is executed, files in the computer except the C disk will be deleted, and "incaseformat" text files may be created in the disks. After the infected, it copies itself to C:\WINDOWS\tsay.exe and creates a startup item to exit, and then waits for the restart operation to start deleting.
Virus Introduction
Virus type: Worm
Transmission method: using external U disk and other equipment to cause virus infection.
Behavior:
1. Delete all files outside the C disk, and possibly create "incaseformat" text files.
2. Copy the "incaseformat" text files to C:\Windows\tsay.exe\, C:\windows\trry.exe
3. Add registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\msfsa
4. Forcibly tampering with the registry, resulting in the failure of the function of hiding the extension of the known folder type in the system, so that the file suffix cannot be viewed, and the user is confused with the folder icon.
Repair Suggestions
Once you find that the file is missing but the space usage is still normal, do not restart! Please disconnect the network first, and use a security tool to perform a full scan, then try data recovery.
Reinforcement Recommendations
1. Do not visit dangerous sites, download and install unknown software at will, do not open files from unknown sources at will.
2. Try to close unnecessary sharing, or set the shared directory to read-only;
3. Strictly regulate the use of mobile media such as U disks, make sure that check and kill them before use;
4. Back up important data.
Office of the Leading Group on Network and Information Security,
Zhejiang University
January 15, 2021