F***kin WannaCry



  • Second time get detected in my system.

    I first noticed it cause Windows Firewall kept not saving my options, and keep turning on and off, it was peculiar how every-time I opened Windows my firewall kept asking to allow the same programs I previously granted, like it reset every-time its options.

    Do note I patched my system with KB4012212 long time ago, like 3 or 2 months ago.

    But what I noticed while I was playing around with Salt and testing stuff today, If I go under my Machine Task scheduler, I found the weird tasks again:

    Mysa1
    Mysa2
    ok

    I dont know how they got re-created, I was just in safe mode and doing full system scan and nothing appeared there, but after search I noticed those tasks are related to Wannacry, my system looks okay so it was the first time this happened.

    The first time using mbam latest was able to detect Ransomeware.Wannacry and removed it, then I formatted all USB drives, and scanned with Sophos AV and Anti-Rootkits, and ADWcleaner, and I deleted those tasks...

    Today they appeared again ??? from where I have no idea, I dont open any ports on my machine, except one for speeding up a game, and I do not use CIFS or SMB or Samba on my machine.

    Weirdly the first time this got detected was 1-2 weeks ago, and mbam (malware bytes) removed it , and I checked all my files and nothing got encrypted. it seems the same thing now, I already made backup and tested and nothing got encrypted...

    Weird...

    2_1498584669204_2017-06-27 20_29_02-Task Scheduler.png 1_1498584669198_2017-06-27 20_28_55-Task Scheduler.png 0_1498584669197_2017-06-27 20_29_07-Task Scheduler.png

    Hope those tasks help somebody to identify infected computers.



  • Sometimes for malware, you have to nuke and start over. :(



  • https://www.cyphort.com/eternalblue-exploit-actively-used-deliver-remote-access-trojans/

    According to this site:

    It creates a job file “Mysa” that would download a file a.exe via FTP from BAD SITE
    
    Then it will execute c.bat and execute another DLL file item.dat:
    
    rundll32.exe c:\windows\debug\item.dat,ServiceMain aaaa
     
    2nd Stage Payload: Item.dat
    
    We were not able to capture item.dat from our own server. This file is saved as C:\Windows\debug\item.dat and the [cmd] command expects it to be there. We believe that this is the second stage payload. 
    

    It appears that the Virus is not reaching the second state, but it advertising my machine, cause the filte item.dat and ok.dat are not found in my:

    C:\Windows\debug

    It seems the UK guy that purchased the domain of Wannacry might saved my ass.

    but this is good info for people that wants to fight this, but I wonder how did those tasks got re-created, I ran :
    schtasks /delete /tn * /f
    Last time...



  • @EddieJennings said in F***kin WannaCry:

    Sometimes for malware, you have to nuke and start over. :(

    Maybe its time to format and move to Windows 10, I feel like I am the last of the
    Windows 7 folks around here.

    But atleast I have the LGBT version of 10, cause I am gay and I get attacked with stupid Viruses, cause I dont like to have realtime AV scanner install slowing down my system and I thought I much smarter to get infected... Oh i meant Windows 10 LTSB version



  • @msff-amman-Itofficer said in F***kin WannaCry:

    @EddieJennings said in F***kin WannaCry:

    Sometimes for malware, you have to nuke and start over. :(

    Maybe its time to format and move to Windows 10, I feel like I am the last of the
    Windows 7 folks around here.

    But atleast I have the LGBT version of 10, cause I am gay and I get attacked with stupid Viruses, cause I dont like to have realtime AV scanner install slowing down my system and I thought I much smarter to get infected... Oh i meant Windows 10 LTSB version

    I would definitely nuke and move on.

    I am not sure what you meant by the last part. I am confused?



  • @IRJ said in F***kin WannaCry:

    I would definitely nuke and move on.

    I am not sure what you meant by the last part. I am confused?

    Same



  • @msff-amman-Itofficer said in F***kin WannaCry:

    @EddieJennings said in F***kin WannaCry:

    Sometimes for malware, you have to nuke and start over. :(

    Maybe its time to format and move to Windows 10, I feel like I am the last of the
    Windows 7 folks around here.

    But atleast I have the LGBT version of 10, cause I am gay and I get attacked with stupid Viruses, cause I dont like to have realtime AV scanner install slowing down my system and I thought I much smarter to get infected... Oh i meant Windows 10 LTSB version

    Or install Korora :D. Not sure what you mean by LGBT version of 10, but I do know Korora installs the same regardless of sexual orientation.



  • @msff-amman-Itofficer WTF does sexual proclivity have to do with malware??? I don't know about anyone else, but I don't take kindly to homophobes.



  • @RojoLoco said in F***kin WannaCry:

    @msff-amman-Itofficer WTF does sexual proclivity have to do with malware??? I don't know about anyone else, but I don't take kindly to homophobes.

    how do you feel about people that get all sensitive for nothing ?

    its joke man its just goes LSTB looks close to LGBT



  • @msff-amman-Itofficer said in F***kin WannaCry:

    @RojoLoco said in F***kin WannaCry:

    @msff-amman-Itofficer WTF does sexual proclivity have to do with malware??? I don't know about anyone else, but I don't take kindly to homophobes.

    how do you feel about people that get all sensitive for nothing ?

    its joke man its just goes LSTB looks close to LGBT

    It sounds like a really shitty HIV/AIDS joke, makes you look like a dick if intended or not.


  • Service Provider

    @EddieJennings said in F***kin WannaCry:

    Sometimes for malware, you have to nuke and start over. :(

    No. Always for malware. There really is no exception.


  • Service Provider

    @msff-amman-Itofficer said in F***kin WannaCry:

    @EddieJennings said in F***kin WannaCry:

    Sometimes for malware, you have to nuke and start over. :(

    Maybe its time to format and move to Windows 10, I feel like I am the last of the
    Windows 7 folks around here.

    It is and you are. Even far more trivial malware I would considered the machine lost. For something like WannaCry, keeping the machine should never be considered.

    And yes, Windows 7 is ancient.


  • Service Provider

    @msff-amman-Itofficer said in F***kin WannaCry:

    its joke man its just goes LSTB looks close to LGBT

    LTSB... Long Term Support Build.

    Should have just been LTS, the industry standard term. Why they added the B to the end, no one knows.



  • @scottalanmiller said in F***kin WannaCry:

    @msff-amman-Itofficer said in F***kin WannaCry:

    its joke man its just goes LSTB looks close to LGBT

    LTSB... Long Term Support Build.

    Should have just been LTS, the industry standard term. Why they added the B to the end, no one knows.

    Thought it was Long Term Servicing Branch?

    I agree with Scott - if you think your computer is ever infected, you can't really ever trust it again. Format and reinstall - or restore to an old backup, whatever.. get to a known clean state.


  • Service Provider

    @Dashrender said in F***kin WannaCry:

    @scottalanmiller said in F***kin WannaCry:

    @msff-amman-Itofficer said in F***kin WannaCry:

    its joke man its just goes LSTB looks close to LGBT

    LTSB... Long Term Support Build.

    Should have just been LTS, the industry standard term. Why they added the B to the end, no one knows.

    Thought it was Long Term Servicing Branch?

    I agree with Scott - if you think your computer is ever infected, you can't really ever trust it again. Format and reinstall - or restore to an old backup, whatever.. get to a known clean state.

    In other words, scorched earth.



  • @msff-amman-Itofficer

    It stalking me, I disabled task scheduler service just to give me some extra few days ...

    1_1498938549022_2017-07-01 22_45_40-Process Hacker [MeDo-PC_MeDo]+.png 0_1498938549020_2017-07-01 22_45_29-Process Hacker [MeDo-PC_MeDo]+.png



  • @msff-amman-Itofficer 0_1498938797651_2017-07-01 22_52_06-debug - Clover.png
    0_1498938800203_2017-07-01 22_53_01-Antivirus scan for 981528cbeafd245f003c838e0db3fb55d755b447631b0472fd2c164de72dc.png


Log in to reply
 

Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.