Shulou(Shulou.com)06/02 Report--

Inadvertently found that the computer in the WannaCry variant of the virus, the specific phenomenon is the cmd command line netstat-an | find ": 445" there are a large number of TCP connections from outside the machine to port 445 of other machines. Previous versions of WannaCry released the blackmail program to extort the host, but in the variant, the program failed to run on the mainstream Windows platform and could not be blackmailed. However, if multiple hosts in the private network are infected with the virus, the viruses will carry out eternal blue loopholes among each other. Heap injection technology is used to exploit this vulnerability, which is not stable, and there is a small probability that the vulnerability exploitation will fail. In the case of unpatched exploitation failure, it will cause the phenomenon of blue screen of the host.

Processing steps:

First, install the MS17-010patch. Patch download address: https://technet.microsoft.com/zh-cn/library/security/ms17-010.aspx

Second, the use of convinced WannaCry special killing tools for antivirus.

After the completion of the above two steps, I thought everything would be all right, but it was observed that there were still a large number of TCP connections sent from this machine to other machines on the same network segment. So it can be seen that the virus has not been completely cleared, think carefully, although we installed the patch is only played the role of not being re-infected. So I opened the Task Manager again and found that several suspicious processes were forced to end directly, and found that they could not be killed at all. Then find the directory where the process file is located and directly force deletion and discovery does not work, because the file is being called by the process. After meditating for a moment, install 360 antivirus decisively, scan and kill and finally get it done. I have to admit that 360 is a lot of money. Haha, XD.

Leftover virus directories and files killed by 360:

C:\ Windows\ SecureBootThemes\

C:\ Windows\ System32\ SecureBootThemes\ spoolsv.exe

C:\ Windows\ System32\ TrustedHostServices.exe

C:\ Windows\ System32\ tpmagentservice.dll

Reference article:

Http://sec.sangfor.com.cn/events/97.html

Http://www.freebuf.com/news/139809.html

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.