Retadup

Retadup is a malicious, self-propagating Windows worm that was invading vulnerable systems located in the countries of Latin America, as well as Mexico. The malicious worm was deactivated by malware researchers working along with the French National Gendarmerie and FBI because the servers associated with this malware were located in France and the United States. Over 850,000 systems were cleared from this malware, which was done by malware researchers. It would seem that that was the end of the worm, but, unfortunately, we cannot guarantee that. The cybercriminals who developed the worm could easily reactivate it and make it even stronger. This is why it is important to understand this malware better, as well as learn how to protect the Windows operating system against it. We also discuss the removal of Retadup because although it should have been deleted automatically, it is important to check if your operating system was cleared from this malware successfully.

According to the malware experts who unveiled Retadup, this malicious worm has multiple different versions that offer different opportunities for the malicious cyber attackers. The infection itself was created using AutoIt or AutoHotkey, and it consisted of two files that helped operate it. One file was a malicious script that ran the threat, and the other one was a scripting language interpreter that aided it. The worm was either distributed as a source code, or the script was compiled and only then distributed. It was discovered that the infection was spread using .LNK files, which were spread via connected drives. When the infection found a victim, all connected drives were infected as well. Once fully established, Retadup created .LNK files that looked like real folders, and if the user was tricked into opening this fake “folder,” the malicious script was run using the script interpreter. According to the collected data, most victims were Windows 7 users without effective anti-malware tools installed on their computers. The prevalence of the worm proves that Windows users can be tricked into executing the worm without even realizing it.

Once installed, Retadup was found in a folder with 21 random letters as a name, and this folder consisted of .TXT and .EXE files with the same name. While the worm could record a lot of information about the user and their system (it was sent to a C&C server), this is not what the infection was created for. During the analysis supported by the French National Gendarmerie and FBI, Retadup was mainly spreading a clandestine Monero miner. Monero is a popular cryptocurrency, and a miner is a tool that allows earning money when a computer is employed to calculate cryptocurrency-related processes. A miner does not pose a risk for one’s privacy, but it can exploit CPU power of the infected machine, making it run slower or even cause crashes. On rare occasions, the worm was also spreading the malicious Stop Ransomware, which has multiple different variants, as well as a dangerous Arkei password-stealer. The ransomware would encrypt files and make it possible for the attackers to perform money extortion, and the password-stealer, of course, was used to obtain sensitive login credentials. This could have allowed cyber attackers to hijack victim’s accounts and impersonate them online.

The C&C server associated with Retadup was disabled and replaced with a so-called “disinfection” server. When bot requests were sent to this server, a special response made it possible to make malware self-destruct. Hopefully, all infected machines were cleaned, but, as we have mentioned already, we cannot predict if or not the same kind of attack could not be set up once more. Of course, this time, the attackers could have learned from their mistakes and lead a much more aggressive attack. Hopefully, that will not happen, but we need to be on constant lookout for similar worms. In the meantime, you need to change passwords and scan the operating system to check for additional malware that might require removal. Once you are 100% sure that your system is clean, you need to ensure reliable protection. Remember that experts deleted Retadup from systems that, in most cases, were unguarded. If you want to ensure that all threats are removed, and that your system is protected, implement a trustworthy anti-malware program now.

Retadup Removal

1. Tap Win+E keys on the keyboard to access Explorer.
2. Enter %homedrive% into the field at the top to access your local drive (C:\).
3. Look for a worm-related folder with a name that consists of 21 random letters. A .txt file and an .exe file with the same name should be found in this folder.
4. Delete the folder once you know that it is worm-related.
5. Exit Explorer and then Empty Recycle Bin.
6. Finally, install and run a trusted malware scanner to examine your system for malware leftovers.