# F***kin WannaCry

• Second time get detected in my system.

I first noticed it cause Windows Firewall kept not saving my options, and keep turning on and off, it was peculiar how every-time I opened Windows my firewall kept asking to allow the same programs I previously granted, like it reset every-time its options.

Do note I patched my system with KB4012212 long time ago, like 3 or 2 months ago.

But what I noticed while I was playing around with Salt and testing stuff today, If I go under my Machine Task scheduler, I found the weird tasks again:

Mysa1
Mysa2
ok

I dont know how they got re-created, I was just in safe mode and doing full system scan and nothing appeared there, but after search I noticed those tasks are related to Wannacry, my system looks okay so it was the first time this happened.

The first time using mbam latest was able to detect Ransomeware.Wannacry and removed it, then I formatted all USB drives, and scanned with Sophos AV and Anti-Rootkits, and ADWcleaner, and I deleted those tasks...

Today they appeared again ??? from where I have no idea, I dont open any ports on my machine, except one for speeding up a game, and I do not use CIFS or SMB or Samba on my machine.

Weirdly the first time this got detected was 1-2 weeks ago, and mbam (malware bytes) removed it , and I checked all my files and nothing got encrypted. it seems the same thing now, I already made backup and tested and nothing got encrypted...

Weird...

Hope those tasks help somebody to identify infected computers.

• Sometimes for malware, you have to nuke and start over. :(

• https://www.cyphort.com/eternalblue-exploit-actively-used-deliver-remote-access-trojans/

According to this site:

It creates a job file “Mysa” that would download a file a.exe via FTP from BAD SITE

Then it will execute c.bat and execute another DLL file item.dat:

rundll32.exe c:\windows\debug\item.dat,ServiceMain aaaa

We were not able to capture item.dat from our own server. This file is saved as C:\Windows\debug\item.dat and the [cmd] command expects it to be there. We believe that this is the second stage payload.


It appears that the Virus is not reaching the second state, but it advertising my machine, cause the filte item.dat and ok.dat are not found in my:

C:\Windows\debug

It seems the UK guy that purchased the domain of Wannacry might saved my ass.

but this is good info for people that wants to fight this, but I wonder how did those tasks got re-created, I ran :
Last time...

• @EddieJennings said in F***kin WannaCry:

Sometimes for malware, you have to nuke and start over. :(

Maybe its time to format and move to Windows 10, I feel like I am the last of the
Windows 7 folks around here.

But atleast I have the LGBT version of 10, cause I am gay and I get attacked with stupid Viruses, cause I dont like to have realtime AV scanner install slowing down my system and I thought I much smarter to get infected... Oh i meant Windows 10 LTSB version

• @msff-amman-Itofficer said in F***kin WannaCry:

@EddieJennings said in F***kin WannaCry:

Sometimes for malware, you have to nuke and start over. :(

Maybe its time to format and move to Windows 10, I feel like I am the last of the
Windows 7 folks around here.

But atleast I have the LGBT version of 10, cause I am gay and I get attacked with stupid Viruses, cause I dont like to have realtime AV scanner install slowing down my system and I thought I much smarter to get infected... Oh i meant Windows 10 LTSB version

I would definitely nuke and move on.

I am not sure what you meant by the last part. I am confused?

• @IRJ said in F***kin WannaCry:

I would definitely nuke and move on.

I am not sure what you meant by the last part. I am confused?

Same

• @msff-amman-Itofficer said in F***kin WannaCry:

@EddieJennings said in F***kin WannaCry:

Sometimes for malware, you have to nuke and start over. :(

Maybe its time to format and move to Windows 10, I feel like I am the last of the
Windows 7 folks around here.

But atleast I have the LGBT version of 10, cause I am gay and I get attacked with stupid Viruses, cause I dont like to have realtime AV scanner install slowing down my system and I thought I much smarter to get infected... Oh i meant Windows 10 LTSB version

Or install Korora :D. Not sure what you mean by LGBT version of 10, but I do know Korora installs the same regardless of sexual orientation.

• @msff-amman-Itofficer WTF does sexual proclivity have to do with malware??? I don't know about anyone else, but I don't take kindly to homophobes.

• @RojoLoco said in F***kin WannaCry:

@msff-amman-Itofficer WTF does sexual proclivity have to do with malware??? I don't know about anyone else, but I don't take kindly to homophobes.

how do you feel about people that get all sensitive for nothing ?

its joke man its just goes LSTB looks close to LGBT

• @msff-amman-Itofficer said in F***kin WannaCry:

@RojoLoco said in F***kin WannaCry:

@msff-amman-Itofficer WTF does sexual proclivity have to do with malware??? I don't know about anyone else, but I don't take kindly to homophobes.

how do you feel about people that get all sensitive for nothing ?

its joke man its just goes LSTB looks close to LGBT

It sounds like a really shitty HIV/AIDS joke, makes you look like a dick if intended or not.

• @EddieJennings said in F***kin WannaCry:

Sometimes for malware, you have to nuke and start over. :(

No. Always for malware. There really is no exception.

• @msff-amman-Itofficer said in F***kin WannaCry:

@EddieJennings said in F***kin WannaCry:

Sometimes for malware, you have to nuke and start over. :(

Maybe its time to format and move to Windows 10, I feel like I am the last of the
Windows 7 folks around here.

It is and you are. Even far more trivial malware I would considered the machine lost. For something like WannaCry, keeping the machine should never be considered.

And yes, Windows 7 is ancient.

• @msff-amman-Itofficer said in F***kin WannaCry:

its joke man its just goes LSTB looks close to LGBT

LTSB... Long Term Support Build.

Should have just been LTS, the industry standard term. Why they added the B to the end, no one knows.

• @scottalanmiller said in F***kin WannaCry:

@msff-amman-Itofficer said in F***kin WannaCry:

its joke man its just goes LSTB looks close to LGBT

LTSB... Long Term Support Build.

Should have just been LTS, the industry standard term. Why they added the B to the end, no one knows.

Thought it was Long Term Servicing Branch?

I agree with Scott - if you think your computer is ever infected, you can't really ever trust it again. Format and reinstall - or restore to an old backup, whatever.. get to a known clean state.

• @Dashrender said in F***kin WannaCry:

@scottalanmiller said in F***kin WannaCry:

@msff-amman-Itofficer said in F***kin WannaCry:

its joke man its just goes LSTB looks close to LGBT

LTSB... Long Term Support Build.

Should have just been LTS, the industry standard term. Why they added the B to the end, no one knows.

Thought it was Long Term Servicing Branch?

I agree with Scott - if you think your computer is ever infected, you can't really ever trust it again. Format and reinstall - or restore to an old backup, whatever.. get to a known clean state.

In other words, scorched earth.

• @msff-amman-Itofficer

It stalking me, I disabled task scheduler service just to give me some extra few days ...

• @msff-amman-Itofficer

Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.