There are infections that do malicious things, and then there are infections that drop other threats. Retadup belongs to the latter group, and while it can be used to intrude on the lives of Windows users, its main task is to execute other infections. To be more specific, the infection was found executing, a Monero miner, STOP Ransomware, and the Arkei password stealer. A miner is the kind of software that computes complex problems that are required for managing crypto-currency. In return, the owner of the miner is awarded money. Miners can exploit CPU resources and cause crashes or larger electricity bills. Ransomware is the kind of malware that encrypts files and renders then unreadable. Then, the attacker introduces a demand for a ransom payment, and although a decryptor might be offered in return, victims usually get nothing. Obviously, a password-stealer is set up to extract login data. All of these threats require removal, but you must delete Retadup first.
Retadup is a worm, which means that it can propagate itself, and, according to our research, it does that by infecting connected drives. A malicious LNK file is dropped, and it mimics a file that already exists on the attacked machine. The lookalike is meant to trick the victim into executing the file, thinking that they would be opening a legitimate file. Unfortunately, the LNK file executes a malicious script using a script interpreter. The script file and the interpreter file are the two files that Retadup is executed with. The core of the infection is written in AutoIt or AutoHotkey, and while AutoIt infections compile the script and distribute malware, the AutoHotkey infections are distributed as source code. We use the plural version of the word “infections,” because different versions exist. It is unlikely that the same infection would drop a miner, a ransomware infection, and a password-stealer all at once. In any case, if you need to delete at least one of these threats, your day could be ruined.
The good news is that if this malicious worm had invaded your operating system, it is likely that it was automatically removed already. That is because malware researchers uncovered this threat and were able to analyze it without the attackers’ knowledge. Working with the French Gendarmerie and FBI, they were able to create a server that replaced the Retadup C&C server and caused the malware to self-destruct. According to the latest data, 850,000 unique infections of the worm got deleted from victims’ computers. Most of these computers were located in South and Central Americas and in Mexico, and, in most cases, victims were running unprotected Windows 7 systems. Does that mean that you should upgrade to Windows 10? You should have done that a long time ago, but it will not make a difference unless you secure your system. Retadup might have been destroyed, but you must implement legitimate anti-malware software to protect you and your system in the future.
It is most likely that you do not need to remove Retadup, but you can check the %HOMEDRIVE% directory just in case. If a folder with a random name (21 letters) with malicious TXT and EXE files exists, you want to delete it instantly. Of course, if you choose to install reliable anti-malware software, it will check your system and eliminate threats automatically. This is particularly helpful if you need to delete a miner, a dangerous file-encrypting ransomware threat, a password-stealer, or different kinds of malware. Even though Retadup might have been removed from your system without your interference, if malware related to this worm has stolen passwords or encrypted your personal files, you might have to deal with consequences for a long time. First and foremost, take care of your passwords. Even if you are not sure that they were stolen, it is a good idea to upgrade them. If you cannot come up with strong and unique passwords yourself, consider employing a trusted malware scanner.