Trojan.MSIL.ST

Trojan.MSIL.ST is a file-erasing Trojan that deletes files of various pre-specified types and displays a rude pop-up message whenever you attempt to use them. Since Trojan.MSIL.ST deletes a wide range of files but doesn't damage your operating system beyond all hope of repair, a remote backup of all important files is the easiest workaround to a Trojan.MSIL.ST attack. Anti-malware tools still can be used to remove Trojan.MSIL.ST, assuming that they haven't been damaged by Trojan.MSIL.ST's payload, in which case you may need to load all relevant tools from an uninfected removable device (such as a DVD or USB drive).

Trojan.MSIL.ST: a Selective File Wiper with a Less Than Impressive Vocabulary

File wipers like TROJ_DIDKR.A or the (remarkably self-explanatory) Wiper often are part of sophisticated attack campaigns that attempt to steal government information or crack bank accounts before deleting any evidence of their attacks. However, one researcher at Malwarebytes recently identified a new file-wiping Trojan, Trojan.MSIL.ST, which has definitively low-brow attack functions that are unlikely to be connected to any type of coordinated campaign. Trojan.MSIL.ST's distribution methods have not yet been verified by SpywareRemove.com malware experts but are strongly believed to use non-consensual tactics like mislabeled e-mail file attachments or drive-by-downloads.

Trojan.MSIL.ST implements a fake Windows service (which Trojan.MSIL.ST describes at length as a 'Windows Virtual Service Provider') that is used to keep Trojan.MSIL.ST running automatically between system restarts. However, this little trick is just the prelude to the bulk of Trojan.MSIL.ST's payload: an attack that replaces files of various formats with Trojan.MSIL.ST's pop-up message, which informs any victims, quote, 'Because f*** you! That's why.' The replacement content, naturally, makes any programs that are dependent on the affected files defective. SpywareRemove.com malware experts can confirm the currently affected files as follows:

• 7Z
• ACCDB
• BAK
• CAB
• CDX
• DBF
• DOC?
• FPT
• JPG
• MDB
• MDF
• MSI
• PPT
• RAR
• TXT
• XLS?
• ZIP
• SETUP.EXE

Note the last entry, which includes a partial file name, along with the file type. This means that Trojan.MSIL.ST (thankfully) does not delete all 'EXE' files, but only affects ones that include the line 'setup' in their names just before the file type extension.

Scrubbing Trojan.MSIL.ST's Mouth with Your PC's Equivalent of Soap

While Trojan.MSIL.ST does not appear to be enjoying widespread distribution and almost certainly hasn't taken part in the targeted attacks that have characterized other types of file-deleting Trojans, SpywareRemove.com malware analysts still rate Trojan.MSIL.ST as a threat that should be regarded with all due caution – if you want your files to stay in one piece. Reputable and updated anti-malware scanners should experience few problems in detecting and then deleting Trojan.MSIL.ST.

However, deleting Trojan.MSIL.ST will not restore any files that were damaged by Trojan.MSIL.ST, and you likely will need to use standardized file-backup techniques to recover any lost information. For this reason, SpywareRemove.com malware experts emphasize the importance of keeping remote backups of any highly critical data. Any programs damaged by Trojan.MSIL.ST may, of course, be reinstalled or repaired as soon as Trojan.MSIL.ST is removed.