Suggestions on Detection and Prevention of the Incaseformat Virus

Suggestions on Detection and Prevention of the Incaseformat Virus

January 20, 2021 | Mina Hao


On January 13, 2021, NSFOCUS’s emergency response team received feedback on the incaseformat virus from a host of customers in the government, healthcare, education, and telecom sectors. According to analysis, we found that this virus mainly infected hosts installed with financial management application systems. Also, we observed that all other files than system partition files are deleted from infected hosts and that this virus is named incaseformat because an empty file with the name incaseformat.log exists in the root directory of the partition where the deleted files are stored.

Briefing on the Virus

According to results returned by the search engine, this virus was first spotted in 2009 and given the name Worm.Win32.Autorun by major antivirus vendors. As its name indicates, this virus spreads through mobile media on Windows platforms.

The virus reproduces itself to the Windows directory when running on a non-system disk. Then it disguises itself as a folder and adds itself to the registry as an auto-start item. In this way, the virus will run after the host restarts, traversing all directories in non-system disks while hiding itself and then creating a virus file with the same name. In addition, this virus can edit the registry in order not to show hidden files and files with known file name extensions. Finally, the virus will delete all files in non-system disks and create the incaseformat.log file.

Suggestions on Detection and Protection

Meanwhile, NSFOCUS provides effective detection and protection capabilities for customers.


NSFOCUS UES is a terminal security product that integrates antivirus, EDR, and terminal management capabilities. This product provides more effective intranet security detection and protection by detecting known malicious files and programs in an all-round manner.

NSFOCUS UES offers the following suggestions on detection and protection configuration:

1. The security team has identified the incaseformat virus as an active one. The administrator should enable the EDR detection policy to keep tabs on the virus and respond to it promptly.

2. The administrator, using a bait, can capture the incaseformat virus and its possible variants and block malicious deletion behaviors once detecting them, finally minimizing the loss.

3. The administrator can prevent similar incidents from occurring on intranet hosts by configuring policies for terminal startup item protection, USB flash drive diagnosis, and malware protection, as well as other protections at the highest level.

  • NSFOCUS Intelligent Security Operation Platform (ISOP)

NSFOCUS ISOP is an intelligent security operations center that can access various security logs to identify threats and provide automated responses.

For this incident, if your platform can access logs on NSFOCUS UES, you can check whether there are affected assets through the following kinds of retrieval under Threat Management > Intelligent Search.

  1. Retrieval based on sample hashes

sample_file_md5:”1071d6d497a10cef44db396c07ccde65″ OR file_md5:”1071d6d497a10cef44db396c07ccde65″ OR sample_file_md5:”4B982FE1558576B420589FAA9D55E81A” OR file_md5:”4B982FE1558576B420589FAA9D55E81A” OR sample_file_sha256:”8c8793eb7c80a09e1542e424ea89c23c195d364892620562e06b3df602890929″ OR sample_file_sha1:”71aa3a0af1eda821a1deddf616841c14c3bbd2e3″

  • Retrieval based process signatures

process_path: “ttry.exe” OR process_path: “tsay.exe”

  • Retrieval based on value signatures of registry keys

old_value:”C:\\windows\\tsay.exe” OR old_value:”C:\\windows\\ttry.exe” OR new_value:”C:\\windows\\tsay.exe” OR new_value:”C:\\windows\\ttry.exe”

  • Retrieval based on the registry path

registry_path:”\\RunOnce\\” AND registry_name:”msfsa”

If an asset is found vulnerable, troubleshoot this issue on this asset.

  • NSFOCUS Remote Security Assessment System (RSAS)

NSFOCUS RSAS is a new generation of vulnerability management product that is developed by NSFOCUS based on years of vulnerability mining and security service practices. It can efficiently detect various vulnerabilities and risks in networks in an all-round manner and provide professional and effective security analysis and remediation suggestions.

For this incident, NSFOCUS has released RSAS system plug-in updates and users should upgrade to the latest version (V6.0R02F01.2101) for detection of this virus:


This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.


NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).

A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.