Recently, Sangfor’s security team has detected an outbreak of a worm virus called "incaseformat" in Asia now spreading globally. The virus will self-replicate into the Windows directory of the system disk and create a registry entry to start automatically. Once the user restarts the host, the virus will start running from the Windows directory, and it will travel through all the disks except the system disk deleting all the files on those drives causing irreparable losses to the user. It may leave a text file named “incaseformat.log” or “incaseformat.txt” on the system drive.


At present, users in different industries and in multiple regions of the world have been attacked by the “incaseformat” trojan. It is impossible to determine any intended targets at this time based on the current spread patterns.


Virus Name:incaseformat
Category: Worm
Influence Scope:Infection cases were originally found in many regions in Asia and now being seen globally, potentially causing large-scale outbreaks.
Danger LevelHigh, potential risk of losing data


1. Description

When the worm is executed in a non-Windows directory, it will not delete any files but will make a copy of itself into the Windows directory of the system disk, creating create a RunOnce registry to set it as a startup item, and then will disguise itself as a normal folder.



Value: C:\windows\tsay.exe


incaseformat picture 1


When the worm is executed in the Windows directory, it will replicate itself in the same directory, and modify the following registry key to adjust hidden files:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt -> 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\checkedvalue -> 0x0

Finally, it will go through and delete all the files on all drives except the system disk, leaving an empty file named “incaseformat.log” or “incaseformat.txt” in the root directory:


incaseformat picture 2


2. Solution

Rebooting or restarting the system will cause the virus to start automatically in the Windows directory, and the file deletion behavior will only be triggered when the worm is executed in the Windows directory. Therefore, the Sangfor Security team recommends that users DO NOT restart the host before ensuring endpoint protection or virus detection software is installed and active.


1. Do not download or install any unknown software. Please make sure to download or install software from official or trusted websites.

2. Please disable any unnecessary file sharing from potentially infected systems or set the shared directory to read-only mode. Sangfor Endpoint Secure users can use the micro-isolation function to block the ports used for file sharing.

3. Strictly regulate the use of removable media such as USB flash drives and perform a virus scan before using them.

4. If you find a host that has been infected, disconnect it from the network, use endpoint protection or anti-virus software to perform a full scan and kill any malicious files found, and then use data recovery software. Sangfor provides users with free anti-virus tools. You can download a tool for virus detection and removal from:


For Sangfor Cyber Command, Next-Generation Firewall, and Endpoint Secure users, it is recommended to upgrade your software to the latest version, connect to Neural-X, and use the Neural-X cloud sandbox inspection services to detect new threats in real-time.


incaseformat picture 3


Contact Us

1. Website:
2. Email Address:
3. Technical Service Center: +60 12711 7129 (7511)

Listen To This Post


Get in Touch

Get in Touch with Sangfor Team for Business Inquiry

Related Articles

Cyber Security

Expert Tips on How to Improve Your Cyber Defense

Date : 12 Aug 2022
Read Now

Cyber Security

Ransomware Attacks in Asia on the Rise, Are You Next?

Date : 09 Aug 2022
Read Now

Cyber Security

How to Level Up Your Incident Response Plan

Date : 28 Jul 2022
Read Now

See Other Product

Cyber Command - NDR Platform
Endpoint Secure
Internet Access Gateway (IAG)
NGAF - Next Generation Firewall (NGFW)
SASE Access
icon notification