Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Unsuspecting users downloaded and executed a file named
What is the connection with Taiga?
Am I infected?
If you downloaded
How can I clean my system?
If you don't know how, Bleeping Computer has a guide with pictures, describing these steps.
You may also want to block
Note that following these instructions may not suffice, so you should take other precautions such as scanning your computer with Malwarebytes.
It was already fixed before I even woke up.
I'm thinking if it'd be possible for me to release a targeted update to all infected machines, using Taiga's auto-update mechanism.
Is there anyone who can give me clear instructions on how to completely get rid of the malware? I'm not sure if simply deleting a registry key and an executable file suffices, and I don't have a testing environment at the moment.
At the very least, I might be able to release a pseudo-update to infected machines to inform the users about the incident and direct them to some useful web page.
added a commit
Nov 4, 2017
@bartblaze has informed me that deleting the registry value and the executable file is indeed sufficient. I've gone ahead and created a new branch called crunchyfix. If anyone would like to test it, you may download it from here.
@agrecascino It seems that our code is quite similar. Is it necessary for the application to be run as administrator?
Since the registry key is in HKCU, administrator permission is not needed. Same goes for the process, as it runs in user-mode.
And, while indeed removing the registry key and the binary is sufficient, I can't speak for any second-stage payload that may have been downloaded in the early stage of the attack - however; when I investigated shortly after, I didn't observe any secondary malware.
Hope this helps, and thanks to @erengy for including a fix!
@agrecascino I did test on two separate machines. The application was able to delete the registry value, terminate the process, and delete the executable file, all without being elevated. I was just wondering if it might behave differently on different systems, as I'm not that familiar with how permissions work.
I've now deployed an update that specifically targets infected machines. It displays this message to the user (let me know if you think that the wording can be improved):
It should work, but I'd really appreciate it if someone with an infected VM could confirm.