Hybrid Cloud Security
Data Center & Virtualization
Security Fit for DevOps
Solutions for Security Teams
Advanced Threat Protection
Endpoint & Gateway Suites
SaaS Application Security
Endpoint Detection & Response
Point of Sale
All Products and Trials
Centralized Visibility & Investigation
Global Threat Intelligence
Connected Threat Defense
Breaking News & Intelligence
Simply Security Blog
Security Intelligence Blog
UK Security Blog
Education & Certification
Glossary of Terms
Research & Reports
The Deep Web
Internet of Things (IoT)
Zero Day Initiative (ZDI)
Login to Support
Virus & Threat Help
Renewals & Registration
Free Cleanup Tools
Find a Support Partner
Pre-Sales Technical Advice
For popular products:
Find a Partner (Reseller, CSP, MSP)
Become a Partner (Reseller, Integrator)
All Alliance Partners
Customer Success Stories
Corporate Social Responsibility
Diversity & Inclusion
Internet Safety and Cybersecurity Education
Find a Partner
1-877-218-7353(M-F 8-5 CST)
Learn of upcoming events
Social Media Networks
+44 (0) 203 549 3300
Dropped by other malware
This malware is one of the variants/components of RETADUP malware discovered on September 2017 to be hitting users in South America for purposes of cryptocurrency mining. Users infected by this malware may find malicous behaviors being exhibited upon their system.
This Worm may be dropped by other malware.
It is a component of other malware.
13 Jul 2017
This Worm may be dropped by the following malware:
This Worm creates the following folders:
Other System Modifications
This Worm adds the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunCpuOptimizer = "C:\newcpuspeed\Cpufix.exe "C:\newcpuspeed\cpuage.tnt""
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunCheckcpu = "C:\Windows\system32\cmd.exe /c start C:\newcpuspeed\Cpufix.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunCpuOptimizer = "C:\newcpuspeed\Cpufix.exe "C:\newcpuspeed\cpuage.tnt""
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunCheckcpu = "C:\Windows\system32\cmd.exe /c start C:\newcpuspeed\Cpufix.exe"
It modifies the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AdvancedShowSuperHidden = 0
(Note: The default value data of the said registry entry is 1.)
This Worm does the following:
This worm drops the following files on removable drives:
14 Jul 2017
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Remove the malware/grayware file dropped/downloaded by WORM_RETADUP.D. (Note: Please skip this step if the threat(s) listed below have already been removed.)
Identify and terminate files detected as WORM_RETADUP.D
To terminate the malware/grayware/spyware process:
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
To delete the registry value this malware created:
Restore this modified registry value
To restore the registry value this malware/grayware modified:
Search and delete these folders
To delete malware/grayware/spyware folders:
For Windows 2000, Windows XP, and Windows Server 2003:
For Windows Vista, Windows 7, Windows Server 2008, Windows 8, Windows 8.1, and Windows Server 2012:
Scan your computer with your Trend Micro product to delete files detected as WORM_RETADUP.D. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.