Shulou(Shulou.com)06/02 Report--

Yesterday, today, and even recently, the security circle and even the whole of China will focus on the blackmail virus "WannaCrypt". Many people think that safety is far away from me, but in fact, in the past, the virus may only be online, but today's "WannaCrypt" blackmail virus will infect the intranet after reaching certain conditions. Pay attention to the intranet! Of course, the external network is also the object of infection, at present, many domestic universities, governments, enterprises and individuals have appeared a large area of infection. Many security companies define it as a "worm" virus, which is so harmful that once it is infected, there are only two ways to solve it, one is to pay the ransom, the other is to reinstall the system, and all the data is returned to zero. Through the author's analysis, if it is before the outbreak of the virus WannaCrypt, can successfully remove the virus, will be able to save the system and reduce losses!

Remember that it is best to clear the virus within two hours of the outbreak of the virus. After you miss it, turn it off in time, and the virus will continue to count the time! In other words, the best time to deal with the virus infection is within two hours!

First, the most important thing

Proceed to the third part of this article to check the system for viruses. If so, you can refer to the following steps:

1. Get rid of the virus once and for all.

two。 Unplug the network cable to prevent re-infection!

3. Use a secure flash drive to back up system files, and if you do not have a flash drive, you can compress the files that need to be backed up into rar files, and then modify them to .exe files.

4.WannaCrypt does not encrypt the exe file at present. The file will be reinforced after it has been processed.

2. Analysis of virus original files

1. File name and size

This time, three virus sample files, mssecsvc.exe, qeriuwjhrf and tasksche.exe, are captured, as shown in figure 1. According to their md5 check values, the size of tasksche.exe and qeriuwjhrf files is 3432KB, mssecsvc.exe is 3636KB.

2.md5 check value

Use the md5 calculation tool to calculate the MD5 values of the above three files, and the md5 check values are as follows:

Tasksche.exe 8b2d830d0cf3ad16a547d5b23eca2c6e

Mssecsvc.exe 854455f59776dc27d4934d8979fa7e86

Qeriuwjhrf: 8b2d830d0cf3ad16a547d5b23eca2c6e

Fig. 1 basic situation of blackmail software virus

3. View virus files

(1) system catalog view

Cd c:\ windows\

Dir / od / a * .exe

(2) search across the board

Dir / od / s tasksche.exe

Dir / od / s mssecsvc.exe

4. Virus phenomenon

(1) if you check the network connection through the netstat-an command, you will find that the network keeps sending SYN_SENT packets, as shown in figure 2.

Figure 2 continuously sending 445 connection packets to the outside world

(2) virus services

Through the Autoruns security analysis tool, you can see that the "fmssecsvc2.0" service name exists in the service, and the time stamp of this file is 17:03 on November 20, 2010.

III. Antivirus methods

1. Set options for viewing files

Because the virus has hidden properties, the file cannot be viewed normally, so you need to set the file view, that is, click tools-folder options in Explorer, as shown in figure 4.

Figure 4 Open folder option settings

Remove "hide protected operating system files (recommended)", select "Show hidden files, folders and drives", remove "hide the extension of known file types", as shown in figure 5, you can view the virus hidden files in the windows directory.

Figure 5 folder view option settings

two。 End the process

Through the task manager, right-click on the taskbar to select "start Task Manager", from the process to find mssecsvc.exe and tasksche.exe files, select mssecsvc.exe and tasksche.exe, right-click select "end process tree" to end the virus program, and may start repeatedly, the end action to be fast.

3. Delete program

Go to the windows directory to sort the three files by time, usually show today or a relatively new period, delete them, and delete them back and forth if the process is over. By the time these three files are deleted, it is possible that at the time of writing, there are virus variants, but in the same way, delete the newly generated files.

4. View the network again

Use the netstat-an command to check the network connection again, there is no external connection, and everything is back to normal.

You can use the security computer to download security tools Autoruns and ProcessExplorer, through CD burning software, to the infected computer to remove the virus! Software download address:

Https://download.sysinternals.com/files/Autoruns.zip

Https://download.sysinternals.com/files/ProcessExplorer.zip

Note that the virus removal referred to in this article means that the blackmail software has not yet encrypted the system software! If a small icon appears on the desktop, there is a red English font on the desktop background (the desktop has a window popping up with a locked picture, Wana Decryptor2.0), which indicates that the system has been infected.

IV. Safety reinforcement

1. Shut down port 445

(1) close manually

Type "regedit" at the command prompt, open "HKEY_LOCAL_MACHINE"-"System"-"Controlset"Services"-"NetBT"-"Parameters", select "New"-"DWORD value", name the DWORD value "SMBDeviceEnabled", and change its value to "0", as shown in figure 6, you need to be very careful not to write DWORD wrong! Otherwise, it won't work!

Figure 6 Registry closes port 445

Figure 7 canceling network file and printer sharing

Echo "Welcome to Jinbai an blackmailer Defense script"

Echo "if the pc version is greater than the xp server version and greater than windows2003, right-click this file to run with administrator privileges."

Netsh firewall set opmode enable

Netsh advfirewall firewall addrule name= "deny445" dir=in protocol=tcp localport=445 action=block

Netsh firewall setportopening protocol=TCP port=445mode=disable name=deny445

two。 Close port 135

Type "dcomcnfg" in the run, and then open "build Services"-"computer"-"Properties"-"my computer Properties"-"default Properties"-"enable distributed COM on this computer" to uncheck the selected box. Then click the default Protocol tab, select connection-oriented TCP/IP, and click the Delete or remove button, as shown in figure 8.

Figure 8 shutting down port 135

3. Close port 139

Port 139 is provided for "NetBIOS Session Service" and is mainly used to provide Windows file and printer sharing as well as Samba services in Unix. Click "Network"-"Local Properties", in the "Local connection Properties" dialog box that appears, select "Internet Protocol version 4 (TCP/IPv4) -" Properties, double-click to open "Advanced TCP/IP Settings"-"WINS", and select "disable NetBIOS on TCP/IP" in "NetBIOS Settings", as shown in figure 9.

Figure 9 shutting down port 139

4. Check if the port is open

In the future, the following command shows that 135, 139, 445 have been closed.

Netstat-an | find "445"

Netstat-an | find "139"

Netstat-an | find "135"

5. Turn on the firewall

Enable the firewall that comes with the system.

6. Update system patches

5. Safety tips

1. Do not open files of unknown origin.

two。 Use the flash drive carefully. You can set up an antorun.inf folder in the flash drive to prevent the virus from spreading automatically.

3. Install antivirus software

4. Turn on the firewall

5.ATScanner (WannaCry)

Http://www.antiy.com/response/wannacry/ATScanner.zip

6. Worm ransomware Immunization tool (WannaCry) http://www.antiy.com/response/wannacry/Vaccine_for_wannacry.zip

For further analysis of WannaCrypt blackmail virus software, please follow our technical analysis. Welcome to join Antian 365Technology Exchange Group (513833068) to discuss this technology.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.