Hi all,
Does someone struggle with wannamine malware currently? I’ve created a function to clear it, but unfortunately I don’t have “fully infected” machine anymore to test it out. The instruction here: [SOLVED] Malicious PowerShell Script - Causing 100% CPU Load - [Solved] did not solve it for us, but it was a good start.
I don’t want to give out the script yet before it has been tested in f-secure’s lab.
Per our observations the malware does not work if you block connections to the control servers and you run
([WmiClass] ‘root\default:Win32_Services’) | Remove-wmiobject -Verbose
Control servers from two versions of the wannamine I’ve seen:
‘195.22.127.157’, ‘93.174.93.73’
‘195.22.127.157’, ‘node.jhshxbv.com’, ‘node2.jhshxbv.com’, ‘node3.jhshxbv.com’, ‘node4.jhshxbv.com’
Latest version of the function is now in GitHub - AapeliH/clear-wannamine: powershell function to clear wannamine
function Clear-WannaMine
{
[CmdletBinding()]
Param
(
# Set path for the Log location
[Parameter(Mandatory=$false,
ValueFromPipelineByPropertyName=$true)]
$LogPath='c:\temp\wannamine',
# Use this to log all the objects that this script would remove
[Parameter(Mandatory=$false)]
[switch]
$logOnly
)
Begin
{
Write-output "spinning up the clear-wannamine"
$date = (get-date -Format "yyyyMMdd-HHmmss" )
if (-not (test-path $LogPath)) {new-item -Path $LogPath -ItemType Directory -Confirm:$false -Force -Verbose}
get-process powershell | where {$_.id -ne $PID} | Stop-Process -Confirm:$false -Verbose
}
Process
{
#Logging
$commandlineObjects = Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -ErrorAction SilentlyContinue | fl commandlinetemplate, name, workingdirectory, __path, __namespace
$FilterToConsumerBinding = Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -ErrorAction SilentlyContinue| fl *
$EventFilter = Get-WMIObject -Namespace root\Subscription -Class __EventFilter -ErrorAction SilentlyContinue| fl __namespace,path,query,name
$Win32_Services = Get-WMIObject -Namespace root\default -Class Win32_Services -ErrorAction SilentlyContinue | fl *
switch ($logOnly.IsPresent) {
$true {
$commandlineObjects | out-file "$LogPath\$($date)_logging_CommandLineEventConsumer.txt"
$FilterToConsumerBindings | out-file "$LogPath\$($date)_logging_FilterToConsumerBinding.txt"
$EventFilters | out-file "$LogPath\$($date)_logging_EventFilter.txt"
$Win32_Services | out-file "$LogPath\$($date)_logging_Win32_Services.txt"
} #True
$false {
Write-Output "starting cleanup"
if ($commandlineObjects) {
foreach ($commandlineObject in $commandlineObjects) {
$commandlineObjects | out-file "$LogPath\$($date)_PreClean_CommandLineEventConsumer.txt"
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name= $($commandlineObject.name)" | Remove-WMIObject -Verbose
}
}
if ($FilterToConsumerBindings) {
foreach ($FilterToConsumerBinding in $FilterToConsumerBindings) {
$FilterToConsumerBindings | out-file "$LogPath\$($date)_PreClean_FilterToConsumerBinding.txt"
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "Name= $($commandlineObject.name)" | Remove-WMIObject -Verbose
}
}
if ($EventFilters) {
foreach ($EventFilter in $EventFilters) {
$EventFilters | out-file "$LogPath\$($date)_PreClean_EventFilter.txt"
Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name= $($commandlineObject.name)" | Remove-WMIObject -Verbose
}
}
if ($Win32_Services) {
$Win32_Services | out-file "$LogPath\$($date)_PreClean_Win32_Services.txt"
Get-WMIObject -Namespace root\default -Class Win32_Services | Remove-WMIObject -Verbose
}
$commandlineObjects = Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -ErrorAction SilentlyContinue| fl commandlinetemplate, name, workingdirectory, __path, __namespace
$FilterToConsumerBinding = Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -ErrorAction SilentlyContinue| fl *
$EventFilter = Get-WMIObject -Namespace root\Subscription -Class __EventFilter -ErrorAction SilentlyContinue| fl __namespace,path,query,name
$Win32_Services = Get-WMIObject -Namespace root\default -Class Win32_Services -ErrorAction SilentlyContinue | fl *
$commandlineObjects | out-file "$LogPath\$($date)_PostClean_CommandLineEventConsumer.txt"
$FilterToConsumerBindings | out-file "$LogPath\$($date)_PostClean_FilterToConsumerBinding.txt"
$EventFilters | out-file "$LogPath\$($date)_PostClean_EventFilter.txt"
$Win32_Services | out-file "$LogPath\$($date)_PostClean_Win32_Services.txt"
} #Default
} # End switch
}
End
{
Write-output "Clear-Wannamine is finished"
}
}