www.trendmicro.com
Open in
urlscan Pro
92.123.26.228
Public Scan
URL:
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/WORM_RETADUP.B
Submission: On September 30 via api from DE — Scanned from DE
Submission: On September 30 via api from DE — Scanned from DE
Form analysis 2 forms found in the DOM
<form class="main-menu-search" aria-label="Search Trend Micro">
<div class="main-menu-search__field-wrapper" id="cludo-search-form">
<table cellspacing="0" cellpadding="0" class="gsc-search-box" style="width:100%">
<tbody>
<tr>
<td class="gsc-input">
<input type="text" size="10" class="gsc-input" name="search" title="search" placeholder="Search Trend Micro" autocomplete="off">
</td>
</tr>
</tbody>
</table>
</div>
</form><form class="main-menu-search" aria-label="Search Trend Micro">
<div class="main-menu-search__field-wrapper" id="cludo-search-form-mobile">
<table cellspacing="0" cellpadding="0" class="gsc-search-box" style="width:100%">
<tbody>
<tr>
<td class="gsc-input">
<input type="text" size="10" class="gsc-input" name="search" title="search" placeholder="Search Trend Micro" autocomplete="off">
</td>
<td class="gsc-search-close collapsed" style="width:1%;" data-target="#search-mobile-wrapper" data-toggle="collapse">
<span class="icon-close"></span>
</td>
</tr>
</tbody>
</table>
</div>
</form>Text Content
dismiss
0 Alerts
undefined
* No new notifications at this time.
Download
* Scan Engines
* All Pattern Files
* All Downloads
* Subscribe to Download Center RSS
Buy
* Home Office Online Store
* Renew Online
* Free Tools
* Find a Partner
* Contact Sales
* Locations Worldwide
* 1-888-762-8736 (M-F 8am - 5pm CST)
* Small Business
* Buy Online
* Renew Online
Region
* The Americas
* United States
* Brasil
* Canada
* México
* Asia Pacific
* Australia
* Hong Kong (English)
* 香港 (中文) (Hong Kong)
* भारत गणराज्य (India)
* Indonesia
* 日本 (Japan)
* 대한민국 (South Korea)
* Malaysia
* New Zealand
* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam
* Europe, Middle East & Africa
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Middle East and North Africa
* Nederland
* Norge (Norway)
* Polska (Poland)
* Россия (Russia)
* South Africa
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom
Log In
* My Support
* Log In to Support
* Partner Portal
* Home Solutions
* My Account
* Lost Device Portal
* Trend Micro Vault
* Password Manager
* Customer Licensing Portal
* Online Case Tracking
* Premium Support
* Worry-Free Business Security Services
* Remote Manager
* Cloud One
* Referral Affiliate
* Referral Affiliate
Free trials
Contact Us
* Contact Sales
* Locations
* Support
* Find a Partner
* Learn of upcoming events
* Social Media Networks
* Facebook
* Twitter
* Linkedin
* Youtube
* Instagram
* 1-888-762-8736 (M-F 8-5 CST)
Business
For Home
Products Products
Hybrid Cloud Security
Workload Security
Conformity
Container Security
File Storage Security
Application Security
Network Security
Open Source Security
Network Security
Intrusion Prevention
Advanced Threat Protection
Industrial Network Security
Mobile Network Security
User Protection
Endpoint Security
Industrial Endpoint
Email Security
Web Security
Endpoint & Gateway Suites
Detection & Response
XDR
Managed XDR Service
Endpoint Detection & Response
Powered by
Global Threat Intelligence
Connected Threat Defense
All Products & Trials
All Solutions
Small & Midsize Business Security
Solutions Solutions
For Cloud
Cloud Migration
Cloud-Native App Development
Cloud Operational Excellence
Data Center Security
SaaS Applications
Internet of Things (IoT)
Smart Factory
Connected Car
Connected Consumer
5G Security for Enterprises
Risk Management
Ransomware
End-of-Support Systems
Compliance
Detection and Response
Industries
Healthcare
Manufacturing
Federal
Why Trend Micro Why Trend Micro
The Trend Micro Difference
Customer Successes
Strategic Alliances
Industry Leadership
Research Research
Research
About Our Research
Research and Analysis
Research, News and Perspectives
Security Reports
Security News
Zero Day Initiative (ZDI)
Blog
Research by Topic
Vulnerabilities
Annual Predictions
The Deep Web
Internet of Things (IoT)
Resources
DevOps Resource Center
CISO Resource Center
What is?
Threat Encyclopedia
Cloud Health Assessment
Cyber Risk Assessment
Enterprise Guides
Glossary of Terms
Support Support
Business Support
Log In to Support
Technical Support
Virus & Threat Help
Renewals & Registration
Education & Certification
Contact Support
Downloads
Free Cleanup Tools
Find a Support Partner
For Popular Products
Deep Security
Apex One
Worry-Free
Worry-Free Renewals
Partners Partners
Channel Partners
Channel Partner Overview
Managed Service Provider
Cloud Service Provider
Professional Services
Resellers
Referral Partners
System Integrators
Alliance Partners
Alliance Overview
Technology Alliance Partners
Our Alliance Partners
Tools and Resources
Find a Partner
Education and Certification
Partner Successes
Distributors
Partner Login
Company Company
Overview
Leadership
Customer Success Stories
Strategic Alliances
Industry Accolades
Newsroom
Webinars
Events
Security Experts
Careers
History
Corporate Social Responsibility
Diversity, Equity & Inclusion
Trust Center
Internet Safety and Cybersecurity Education
Investors
Legal
×
0 Alerts
undefined
* No new notifications at this time.
Download
* Scan Engines
* All Pattern Files
* All Downloads
* Subscribe to Download Center RSS
Buy
* Home Office Online Store
* Renew Online
* Free Tools
* Find a Partner
* Contact Sales
* Locations Worldwide
* 1-888-762-8736 (M-F 8am - 5pm CST)
* Small Business
* Buy Online
* Renew Online
Region
* The Americas
* United States
* Brasil
* Canada
* México
* Asia Pacific
* Australia
* Hong Kong (English)
* 香港 (中文) (Hong Kong)
* भारत गणराज्य (India)
* Indonesia
* 日本 (Japan)
* 대한민국 (South Korea)
* Malaysia
* New Zealand
* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam
* Europe, Middle East & Africa
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Middle East and North Africa
* Nederland
* Norge (Norway)
* Polska (Poland)
* Россия (Russia)
* South Africa
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom
Log In
* My Support
* Log In to Support
* Partner Portal
* Home Solutions
* My Account
* Lost Device Portal
* Trend Micro Vault
* Password Manager
* Customer Licensing Portal
* Online Case Tracking
* Premium Support
* Worry-Free Business Security Services
* Remote Manager
* Cloud One
* Referral Affiliate
* Referral Affiliate
Contact Us
* Contact Sales
* Locations
* Support
* Find a Partner
* Learn of upcoming events
* Social Media Networks
* Facebook
* Twitter
* Linkedin
* Youtube
* Instagram
* 1-888-762-8736 (M-F 8-5 CST)
* No new notifications at this time.
* No new notifications at this time.
* Scan Engines
* All Pattern Files
* All Downloads
* Subscribe to Download Center RSS
* Home Office Online Store
* Renew Online
* Free Tools
* Find a Partner
* Contact Sales
* Locations Worldwide
* 1-888-762-8736 (M-F 8am - 5pm CST)
* Small Business
* Buy Online
* Renew Online
* The Americas
* United States
* Brasil
* Canada
* México
* Asia Pacific
* Australia
* Hong Kong (English)
* 香港 (中文) (Hong Kong)
* भारत गणराज्य (India)
* Indonesia
* 日本 (Japan)
* 대한민국 (South Korea)
* Malaysia
* New Zealand
* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam
* Europe, Middle East & Africa
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Middle East and North Africa
* Nederland
* Norge (Norway)
* Polska (Poland)
* Россия (Russia)
* South Africa
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom
* My Support
* Log In to Support
* Partner Portal
* Home Solutions
* My Account
* Lost Device Portal
* Trend Micro Vault
* Password Manager
* Customer Licensing Portal
* Online Case Tracking
* Premium Support
* Worry-Free Business Security Services
* Remote Manager
* Cloud One
* Referral Affiliate
* Referral Affiliate
* Contact Sales
* Locations
* Support
* Find a Partner
* Learn of upcoming events
* Social Media Networks
* Facebook
* Twitter
* Linkedin
* Youtube
* Instagram
* 1-888-762-8736 (M-F 8-5 CST)
undefined
* Threat Encyclopedia
* Malware
* WORM_RETADUP.B
WORM_RETADUP.B
July 18, 2017
* Email
* Facebook
* Twitter
* Google+
* Linkedin
Analysis by: Cris Nowell Pantanilla
--------------------------------------------------------------------------------
ALIASES:
Application.Miner.AF(BitDefender)
PLATFORM:
Windows
OVERALL RISK RATING:
DAMAGE POTENTIAL:
DISTRIBUTION POTENTIAL:
REPORTED INFECTION:
INFORMATION EXPOSURE:
*
Threat Type: Worm
*
Destructiveness: No
*
Encrypted: Yes
*
In the wild: Yes
OVERVIEW
Infection Channel: Via physical/removable drives
This Worm arrives via removable drives.
It executes commands from a remote malicious user, effectively compromising the
affected system.
It retrieves specific information from the affected system.
It connects to certain websites to send and receive information.
TECHNICAL DETAILS
File Size: 249,713 bytes
File Type: AU3
Memory Resident: Yes
Initial Samples Received Date: 04 Jul 2017
Payload: Connects to URLs/IPs, Downloads files, Collects system information,
Drops files
Arrival Details
This Worm arrives via removable drives.
Installation
This Worm drops the following component file(s):
* C:\newcpuspeed\BlackJocker-rad12345.rar
* C:\newcpuspeed\cpuage.tnt
* C:\newcpuspeed\cpufix.exe
* C:\newcpuspeed\cpuspeed.tnt ← detected as WORM_RETADUP.D
* C:\newcpuspeedcheck\BlackJocker-rad12345.rar
* C:\newcpuspeedcheck\cpuage.tnt
* C:\newcpuspeedcheck\cpufix.exe
* C:\newcpuspeedcheck\cpuspeed.tnt ← detected as WORM_RETADUP.D
It creates the following folders:
* C:\newcpuspeed\workers
* C:\newcpuspeed
* C:\newcpuspeedcheck
Autostart Technique
This Worm adds the following registry entries to enable its automatic execution
at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
CpuOptimizer = "C:\newcpuspeed\Cpufix.exe "C:\newcpuspeed\cpuage.tnt""
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Checkcpu = "C:\Windows\system32\cmd.exe /c start C:\newcpuspeed\Cpufix.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
CpuOptimizer = "C:\newcpuspeed\Cpufix.exe "C:\newcpuspeed\cpuage.tnt""
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Checkcpu = "C:\Windows\system32\cmd.exe /c start C:\newcpuspeed\Cpufix.exe
Other System Modifications
This Worm adds the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = 0
(Note: The default value data of the said registry entry is 1.)
Propagation
This Worm creates the following folders in all removable drives:
* {Drive}:\AntiUsbShortCut
* {Drive}:\newcpuspeedtest
Backdoor Routine
This Worm executes the following commands from a remote malicious user:
* Sleep
* Exit the malware
* Install miner
* Start miner
* Close miner
* Execute in cmd
* Update
* Receive a url
* Download a file
Information Theft
This Worm retrieves the following information from the affected system:
* OS Version
* OS Architecture
* OS Language
* OS Build
* OS ServicePack
* Homedrive
* Computer name
* Username
* Number of processors
* Check for existence of process:cpuchecker.exe
* Check for existence of window:systemantimalwarecheck
Other Details
This Worm connects to the following website to send and receive information:
* http://{random values}.{BLOCKED}e.com:8090
* http://{BLOCKED}othere.publicvm.com
* http://{BLOCKED}othere.publicvm.com:3333
* http://{BLOCKED}othere.publicvm.com:8090
* http://{BLOCKED}miner.newblackage.com
* http://{BLOCKED}miner.newblackage.com:4444
* http://{BLOCKED}miner.newblackage.com:8090
NOTES:
This worm drops the following files on removable drives:
* {Drive}:\AntiUsbShortCut\AntiUsbShortCut\AntiShortCut.lnk
* {Drive}:\AntiUsbShortCut\AntiUsbShortCut\AntiUsb.exe
* {Drive}:\AntiUsbShortCut\AntiUsbShortCut\AntiUsbShortCut.zip
* {Drive}:\AntiUsbShortCut\AntiUsbShortCut\AntiUsbShortCut.lnk
* {Drive}:\AntiUsbShortCut\AntiUsbShortCut\AntiUsbWorm.zip
* {Drive}:\AntiUsbShortCut\AntiUsbShortCut\AutoIt3.exe
* {Drive}:\{folder}\Downloads.lnk
Anti-analysis Techniques
It checks the existence of AV products and analysis tools:
* avp.exe
* tcpview.exe
* kavmm.exe
* vmacthlp.exe
* snxhk.dll
* tracer.dll
* SbieDll.dll
* api_log.dll
* dir_watch.dll
* dbghelp.dll
* monitornet.dll
* cuckoo
* SandCastle
* sandbox
* tracer.dll
* tracer.dll
* tracer.dll
It checks if the following processes related to sandbox exists:
* VBoxService.exe
* VBoxTray.exe
* guninraik.exe
* VMwareUser.exe
* VMwareUser.exe
* VMwareUser.exe
* VMwareService.exe
* VMwareUser.exe
* FortiTracer.exe
* vmtoolsd.exe
* vmtoolsd.exe
* BehaviorDumper.exe
* FakeHTTPServer.exe
* FakeServer.exe
Checks script filenames if containing the strings below:
* artifact
* sample
* .
Checks folder where it is being executed:
* C:\virus
* C:\
Checks if the following folders exist:
* C:\CWSandbox\
* C:\Python26\
* C:\cuckoo\
Checks Virtual Machines:
* Bochs
* innotek
* VMware
Checks for the following window:
* systemantimalwarebyrad
If any of the above is confirmed, the script will not continue.
SOLUTION
Minimum Scan Engine: 9.850
FIRST VSAPI PATTERN FILE: 13.512.02
FIRST VSAPI PATTERN DATE: 04 Jul 2017
VSAPI OPR PATTERN File: 13.513.00
VSAPI OPR PATTERN Date: 05 Jul 2017
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must
disable System Restore to allow full scanning of their computers.
Step 2
Note that not all files, folders, and registry keys and entries are installed on
your computer during this malware's/spyware's/grayware's execution. This may be
due to incomplete installation or other operating system conditions. If you do
not find the same files/folders/registry information, please proceed to the next
step.
Step 3
Delete this registry value
[ Learn More ]
[ back ]
Important: Editing the Windows Registry incorrectly can lead to irreversible
system malfunction. Please do this step only if you know how or you can ask
assistance from your system administrator. Else, check this Microsoft article
first before modifying your computer's registry.
* In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
* CpuOptimizer = "C:\newcpuspeed\Cpufix.exe "C:\newcpuspeed\cpuage.tnt""
* In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
* Checkcpu = "C:\Windows\system32\cmd.exe /c start C:\newcpuspeed\Cpufix.exe
* In HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
* CpuOptimizer = "C:\newcpuspeed\Cpufix.exe "C:\newcpuspeed\cpuage.tnt""
* In HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
* Checkcpu = "C:\Windows\system32\cmd.exe /c start C:\newcpuspeed\Cpufix.exe
To delete the registry value this malware created:
1. Open Registry Editor. To do this:
» For Windows 2000, Windows XP, and Windows Server 2003 users, click
Start>Run, type regedit in the text box provided, and then press Enter.
» For Windows Vista, Windows 7, and Windows Server 2008 users, click the
Start button, type regedit in the Search input field then press Enter.
» For Windows 8, Windows 8.1, and Windows Server 2012 users, right-click on
the lower left corner of the screen, click Run, type regedit in the text box
provided, and then press Enter.
2. In the left panel of the Registry Editor window, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Run
3. In the right panel, locate and delete the entry:
CpuOptimizer = "C:\newcpuspeed\Cpufix.exe "C:\newcpuspeed\cpuage.tnt""
4. Again In the right panel, locate and delete the entry:
Checkcpu = "C:\Windows\system32\cmd.exe /c start C:\newcpuspeed\Cpufix.exe
5. In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>Run
6. In the right panel, locate and delete the entry:
CpuOptimizer = "C:\newcpuspeed\Cpufix.exe "C:\newcpuspeed\cpuage.tnt""
7. Again In the right panel, locate and delete the entry:
Checkcpu = "C:\Windows\system32\cmd.exe /c start C:\newcpuspeed\Cpufix.exe
8. Close Registry Editor.
Step 4
Search and delete these folders
[ Learn More ]
[ back ]
Please make sure you check the Search Hidden Files and Folders checkbox in the
More advanced options option to include all hidden folders in the search result.
* C:\newcpuspeed
* C:\newcpuspeedcheck
* C:\newcpuspeed\workers
To delete malware/grayware/spyware folders:
For Windows 2000, Windows XP, and Windows Server 2003:
1. Right-click Start then click Search... or Find..., depending on the version
of Windows you are running.
2. In the File name* input box, type:
* C:\newcpuspeed
* C:\newcpuspeedcheck
* C:\newcpuspeed\workers
3. In the Look In drop-down list, select My Computer, then press Enter.
4. Once located, select the folder then press SHIFT+DELETE to permanently
delete the folder.
5. Repeat steps 2 to 4 for the remaining folders:
* C:\newcpuspeed
* C:\newcpuspeedcheck
* C:\newcpuspeed\workers
*Note: The file name input box title varies depending on the Windows version
(e.g. Search for files or folders named or All or part of the file name.).
For Windows Vista, Windows 7, Windows Server 2008, Windows 8, Windows 8.1, and
Windows Server 2012:
1. Open a Windows Explorer window.
* For Windows Vista, 7, and Server 2008 users, click Start>Computer.
* For Windows 8, 8.1, and Server 2012 users, right-click on the lower left
corner of the screen, then click File Explorer.
2. In the Search Computer/This PC input box, type:
* C:\newcpuspeed
* C:\newcpuspeedcheck
* C:\newcpuspeed\workers
3. Once located, select the file then press SHIFT+DELETE to permanently delete
the folder.
4. Repeat steps 2-3 for the remaining folders:
* C:\newcpuspeed
* C:\newcpuspeedcheck
* C:\newcpuspeed\workers
*Note: Read the following Microsoft page if these steps do not work on
Windows 7.
Step 5
Scan your computer with your Trend Micro product to delete files detected as
WORM_RETADUP.B. If the detected files have already been cleaned, deleted, or
quarantined by your Trend Micro product, no further step is required. You may
opt to simply delete the quarantined files. Please check this Knowledge Base
page for more information.
Did this description help? Tell us how we did.
* Contact Sales
* Locations
* Careers
* Newsroom
* Trust Center
* Privacy
* Accessibility
* Support
* Site map
* linkedin
* twitter
* facebook
* youtube
* instagram
* rss
Copyright © 2022 Trend Micro Incorporated. All rights reserved.