cleaning wannamine

PowerShell Help
1

Hi all,

Does someone struggle with wannamine malware currently? I’ve created a function to clear it, but unfortunately I don’t have “fully infected” machine anymore to test it out. The instruction here: [SOLVED] Malicious PowerShell Script - Causing 100% CPU Load - [Solved] did not solve it for us, but it was a good start.

I don’t want to give out the script yet before it has been tested in f-secure’s lab.

Per our observations the malware does not work if you block connections to the control servers and you run
([WmiClass] ‘root\default:Win32_Services’) | Remove-wmiobject -Verbose

Control servers from two versions of the wannamine I’ve seen:
‘195.22.127.157’, ‘93.174.93.73’
‘195.22.127.157’, ‘node.jhshxbv.com’, ‘node2.jhshxbv.com’, ‘node3.jhshxbv.com’, ‘node4.jhshxbv.com

Latest version of the function is now in GitHub - AapeliH/clear-wannamine: powershell function to clear wannamine

2 
function Clear-WannaMine
{


    [CmdletBinding()]
    Param
    (
        # Set path for the Log location
        [Parameter(Mandatory=$false,
                   ValueFromPipelineByPropertyName=$true)]
        $LogPath='c:\temp\wannamine',

        # Use this to log all the objects that this script would remove
        [Parameter(Mandatory=$false)]
        [switch]
        $logOnly
    )

    Begin
        {
        Write-output "spinning up the clear-wannamine"
        $date = (get-date -Format "yyyyMMdd-HHmmss" )
        if (-not (test-path $LogPath)) {new-item -Path $LogPath -ItemType Directory -Confirm:$false -Force -Verbose}
        
        get-process powershell | where {$_.id -ne $PID} | Stop-Process -Confirm:$false -Verbose 
        
        }
    Process
        {

        #Logging
        $commandlineObjects      = Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -ErrorAction SilentlyContinue | fl commandlinetemplate, name, workingdirectory, __path, __namespace
        $FilterToConsumerBinding = Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding  -ErrorAction SilentlyContinue| fl *
        $EventFilter             = Get-WMIObject -Namespace root\Subscription -Class __EventFilter  -ErrorAction SilentlyContinue| fl __namespace,path,query,name
        $Win32_Services          = Get-WMIObject -Namespace root\default -Class Win32_Services -ErrorAction SilentlyContinue | fl *
        

        switch ($logOnly.IsPresent) {
        
            $true {
                
                    $commandlineObjects       | out-file "$LogPath\$($date)_logging_CommandLineEventConsumer.txt" 
                    $FilterToConsumerBindings | out-file "$LogPath\$($date)_logging_FilterToConsumerBinding.txt"
                    $EventFilters             | out-file "$LogPath\$($date)_logging_EventFilter.txt"
                    $Win32_Services           | out-file "$LogPath\$($date)_logging_Win32_Services.txt"

                    } #True
        
            $false {
                    
                    Write-Output "starting cleanup"


                    if ($commandlineObjects) {
                        foreach ($commandlineObject in $commandlineObjects) {
                            
                            $commandlineObjects | out-file "$LogPath\$($date)_PreClean_CommandLineEventConsumer.txt" 
                            Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name= $($commandlineObject.name)" | Remove-WMIObject -Verbose
                            
                            }
                    }

                    if ($FilterToConsumerBindings) {

                        foreach ($FilterToConsumerBinding in $FilterToConsumerBindings) {
                            
                            $FilterToConsumerBindings | out-file "$LogPath\$($date)_PreClean_FilterToConsumerBinding.txt"
                            Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "Name= $($commandlineObject.name)" | Remove-WMIObject -Verbose
                            
                            }
                    }

                    if ($EventFilters) {
                        foreach ($EventFilter in $EventFilters) {
                            
                            $EventFilters | out-file "$LogPath\$($date)_PreClean_EventFilter.txt"
                            Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name= $($commandlineObject.name)" | Remove-WMIObject -Verbose
                            
                            }
                    }
                    
                    if ($Win32_Services) {

                        $Win32_Services | out-file "$LogPath\$($date)_PreClean_Win32_Services.txt"
                        Get-WMIObject -Namespace root\default -Class Win32_Services | Remove-WMIObject -Verbose
                        
                        }

                    $commandlineObjects      = Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer  -ErrorAction SilentlyContinue| fl commandlinetemplate, name, workingdirectory, __path, __namespace
                    $FilterToConsumerBinding = Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding  -ErrorAction SilentlyContinue| fl *
                    $EventFilter             = Get-WMIObject -Namespace root\Subscription -Class __EventFilter  -ErrorAction SilentlyContinue| fl __namespace,path,query,name
                    $Win32_Services          = Get-WMIObject -Namespace root\default -Class Win32_Services -ErrorAction SilentlyContinue | fl *

                    $commandlineObjects       | out-file "$LogPath\$($date)_PostClean_CommandLineEventConsumer.txt" 
                    $FilterToConsumerBindings | out-file "$LogPath\$($date)_PostClean_FilterToConsumerBinding.txt"
                    $EventFilters             | out-file "$LogPath\$($date)_PostClean_EventFilter.txt"
                    $Win32_Services           | out-file "$LogPath\$($date)_PostClean_Win32_Services.txt"

                } #Default
        
            } # End switch

        }
    End
        {
        Write-output "Clear-Wannamine is finished"
        }
}