October 25, 2017

Trojan.BadRabbit, a.k.a. BadRabbit, poses no threat to users whose machines are protected by up-to-date Dr.Web versions that have the preventive protection component enabled. Dr.Web detects the malware as DPH:Trojan.Encoder.32 and thus prevents it from encrypting files. It also prevents the malware from modifying the MBR. The Trojan's payload is similar to that of Trojan.Encoder.12544, also known as Petya, Petya.A, ExPetya and WannaCry-2, and uses the same routine. The program has been examined by Doctor Web's researchers.

Some publications on the Web contain threat mitigation recommendations. The suggested security measures include:

• Create the read-only file C:\Windows\infpub.dat.
• Create the read-only file C:\Windows\cscc.dat.
• Use the Software Restriction Policy settings to prevent the files infpub.dat and install_flash_player.exe from being executed.

Some of these mitigation steps may have a short-term effect, but Doctor Web doesn't recommend using them as a sole means of protection. The smallest of modifications to the malware can render all those steps completely useless. Thus, a reliable anti-virus remains the most robust security tool. The latest Dr.Web version protects systems from this malware.

We will publish a detailed description of the threat once our anti-virus laboratory is finished with its research.