Doctor Web publishes preliminary description of WannaCry Trojan

Discussion in 'Dr Web' started by omidomi, May 23, 2017.

  1. omidomi

    omidomi Level 61
    Trusted AV Tester

    Apr 5, 2014
    Fallout New Vegas :D
    Windows 8.1
    Official Website:
    On Friday, May 12, a myriad of computers all over the world were infected with a dangerous worm known as WannaCry. Doctor Web specialists are still examining this malware but are ready to share some of the results of their research.

    The malware, known as WannaCry, is a network worm that infects computers running Microsoft Windows without any user involvement. Dr.Web Anti-virus detects all the worm’s components as Trojan.Encoder.11432. It started being spread around 10 a.m. on May 12, 2017. The worm attacks all the computers in a local network and remote Internet servers with random IP addresses, attempting to establish a connection with port 445. After infecting a computer, the worm tries to independently infect other available machines—this explains the massive scale of the outbreak. The malicious program itself has several components; the encryption Trojan is only one of them.

    Network worm
    Once launched, the worm attempts to send a request to the remote server whose domain is stored inside the Trojan. If a response to this request is received, the worm shuts itself down. Some media sources have reported that the WannaCry outbreak was stopped once this domain was registered: up to the moment the Trojan started being spread, the domain was available due to a mistake made by the cybercriminals. In reality, the analysis of the Trojan shows that it will operate and infect computers that are connected to a local network but have no Internet connection. Thus, it is too early to talk about the epidemic being over.

    After being launched, the Trojan registers itself as a system service named mssecsvc2.0. In addition, the worm is sensitive to command line parameters: if an argument is indicated, it attempts to enable an automatic restart of the service in case an error occurs. Within 24 hours after it is launched as a system service, the worm automatically shuts itself down.

    After successfully starting up on an infected machine, the worm starts checking for servers that it can access in the infected machine’s local network and for computers on the Internet that have random IP addresses. It tries to connect to port 445. If the connection is successfully established, the worm attempts to infect these computers using a vulnerability in the SMB protocol.

    A dropper is a component designed to install a malicious executable file into an operating system. WannaCry’s dropper contains a massive password-protected ZIP archive, which contains an encrypted file with a Trojan encoder, Windows Desktop wallpaper containing the cybercriminals’ demands, a file containing the addresses of onion servers and the name of a wallet for Bitcoin transactions, and also an archive containing programs for operating in the Tor network. The dropper is launched from the worm’s body, installs itself in the system, and then attempts to launch its copy as a randomly named system service. If this attempt is unsuccessful, it is executed as an ordinary program. The dropper’s main task is to save the contents of the archive on the disk and launch the encryptor.

    A ransomware Trojan
    Trojan.Encoder.11432 encrypts files with a random key. The file stores data on the length of the encrypted key, the encrypted key itself, information about the type of encryption, and the size of the source file. During the course of encryption, a file named f.wnry is created—it stores the list of files for the Trojan to decrypt in test mode.

    The Trojan contains the author’s decoder, which deletes shadow copies on the infected computer and disables the system restore function. It changes the Windows Desktop wallpaper to a graphic file that reads as follows:


    Then it unpacks the applications it uses to operate with the Tor network (or downloads them from the Web) and connects to onion servers, the addresses of which are indicated in the Trojan’s configuration. From there it receives the name of the wallet accepting Bitcoin electronic currency and writes it into the configuration. To exchange data with the onion servers, Trojan.Encoder.11432 uses its own protocol.

    The decoder permits the decryption of several test files, the list of which is stored in the file f.wnry. The private key needed to decrypt them is stored in one of the malicious program’s components. So it is possible to decrypt them even without using the Trojan. However, the test files and all the other files are decrypted with different keys. Therefore, there is no guarantee that the data corrupted by the encoder can be restored successfully, even if a ransom is paid.

    Unfortunately, at present it is impossible to decrypt files encoded by Trojan.Encoder.11432.

    Signs of infection
    The hallmark signs of a WannaCry infection are:

    • The presence of the mssecsvc2.0 system service (visible name—”Microsoft Security Center (2.0) Service”);
    • The presence of the Trojan encoder file C:\WINDOWS\tasksche.exe; the previous sample of the malicious program is stored in the file C:\WINDOWS\qeriuwjhrf.
    What to do in case of infection

    • To prevent the further spread of infection, isolate infected machines and PCs containing valuable data from computer networks;
    • Save a backup copy of the information on separate storages that must thereafter remain disconnected from any computers.
    This link will take you to a description of the worm.
Similar Threads Forum Date
Chinese Intelligence Agencies Are Doctoring the Country's Vulnerability Database Technology News Monday at 5:06 PM
Update Kerish Doctor 2018 v4.70 (To be released in spring) System Utilities Feb 12, 2018
kerish doctor malwareprotection ? System Utilities Nov 6, 2017
  • About Us

    Our community has been around since 2010, and we pride ourselves on offering unbiased, critical discussion among people of all different backgrounds about security and technology . We are working every day to make sure our community is one of the best.
  • Need Malware Removal Help?

    If you're being redirected from a site you’re trying to visit, seeing constant pop-up ads, unwanted toolbars or strange search results, your computer may be infected with malware. We offer free malware removal assistance to our members in the Malware Removal Assistance forum.
  • Quick Tip

    Without meaning to, you may click a link that installs malware on your computer. To keep your computer safe, only click links and downloads from sites that you trust. Don’t open any unknown file types, or download programs from pop-ups that appear in your browser.