SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT


WannaCrypt.RSM (high risk alert)

SonicWALL wants to make you aware of the " WannaCrypt.RSM" virus that is spreading across the Internet. A high risk alert has been issued for this threat.


Description


WannaCrypt.RSM is a Trojan. A Trojan is a program that pretends to have a valid use, but in fact modifies the user's computer in malicious ways. Trojans do not replicate or spread to other computers.

File Related Changes:


It drops the following file(s) on the system:

  • "C:\Documents and Settings\Default User\Start Menu\Programs\Startup\SDEF.tmp"
  • "C:\WINDOWS\Temp\!WannaDecryptor!.exe"
  • "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SDCE.tmp"
  • "C:\WINDOWS\Temp\112881393834640_.bat"
  • "C:\Documents and Settings\Admin\Start Menu\Programs\Startup\SD8D.tmp"

It modifies the following additional file(s) on the system:
  • "C:\WINDOWS\system32\wbem\Logs\WMIC.LOG"

Process Related Changes:


It creates the following mutex(es):


  • ZonesCacheCounterMutex"
  • MSCTF.Shared.MUTEX.ACD"
  • ZonesLockedCacheCounterMutex"
  • c:!documents and settings!admin!local settings!history!history.ie5!"
  • WINDOWS_TASKOSHT_MUTEX0"
  • CTF.TMD.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
  • CTF.TimListCache.FMPDefaultS-1-5-21-1078081533-842925246-854245398-1003MUTEX.DefaultS-1-5-21-1078081533-842925246-854245398-1003"
  • CTF.Compart.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
  • c:!documents and settings!admin!local settings!temporary internet files!content.ie5!"
  • ZoneAttributeCacheCounterMutex"
  • SHIMLIB_LOG_MUTEX"
  • WininetConnectionMutex"
  • CTF.Layouts.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
  • MSCTF.Shared.MUTEX.ICG"
  • CTF.Asm.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
  • ZonesCounterMutex"
  • CTF.LBES.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
  • c:!documents and settings!admin!cookies!"

It creates the following process(es):

  • C:\WINDOWS\system32\taskkill.exe [ taskkill /f /im Microsoft.Exchange. ]
  • C:\WINDOWS\Temp\!WannaDecryptor!.exe [ !WannaDecryptor!.exe ]
  • C:\WINDOWS\Temp\b9b3965d1b218c63cd317ac33edcb942.exe [ \c:\windows\temp\b9b3965d1b218c63cd317ac33edcb942.exe ]
  • C:\WINDOWS\system32\taskkill.exe [ taskkill /f /im MSExchange ]
  • C:\WINDOWS\Temp\!WannaDecryptor!.exe [ !WannaDecryptor!.exe v ]
  • C:\WINDOWS\system32\cmd.exe [ cmd.exe /c start /b !WannaDecryptor!.exe v ]
  • C:\WINDOWS\system32\cmd.exe [ cmd.exe /c vssadmin delete shadows /all /quiet wmic shadowcopy delete bcdedit /set {default} bootstatuspolicy ignoreallfailures bcdedit /set {default} recoveryenabled no wbadmin delete catalog -quiet ]
  • C:\WINDOWS\system32\wbem\wmic.exe [ wmic shadowcopy delete ]
  • C:\WINDOWS\Temp\!WannaDecryptor!.exe [ !WannaDecryptor!.exe c ]
  • C:\WINDOWS\system32\taskkill.exe [ taskkill /f /im sqlserver.exe ]
  • C:\WINDOWS\system32\cmd.exe [ cmd /c 112881393834640.bat ]
  • C:\WINDOWS\system32\taskkill.exe [ taskkill /f /im sqlwriter.exe ]
  • C:\WINDOWS\Temp\!WannaDecryptor!.exe [ !WannaDecryptor!.exe f ]

Network Activity:


We observed the following DNS query/queries:

  • dist.torproject.org
  • www.dropbox.com
  • www.download.windowsupdate.com

It attempts to connect to the following remote servers:
  • 127.xxxxxx:1031
  • 127.xxxxxx:1037

UPDATE:

As of May 12th 2017 we have observed a new variant of the WannaCrypt Ransomware. It has been reported that version 2 of this ransomware has been deployed by its operators on a large international scale. It has wreaked havoc among UK's National Health Service by hitting at least 15 hospitals across the nation causing denial of access to vital patient information. Other attacks include Spanish telecommunications companies such as Vodafone and Telefonica.

The new version uses the following dialog:

At the time of writing, the network infrastructure for the Trojan had been severed and the timer does not work.

SonicWall covers multiple variants of this threat via the following signatures:

  • GAV: WannaCrypt.RSM (Trojan)
  • GAV: WannaCrypt.RSM_2 (Trojan)
  • GAV: WannaCrypt.RSM_3 (Trojan)
  • GAV: WannaCrypt.RSM_4 (Trojan)
  • GAV: WannaCrypt.RSM_5 (Trojan)
  • GAV: WannaCrypt.RSM_6 (Trojan)
  • GAV: WannaCrypt.RSM_7 (Trojan)
  • GAV: WannaCrypt.RSM_8 (Trojan)
  • GAV: WannaCrypt.RSM.ar1 (Trojan)
  • GAV: WannaCrypt.RSM.ar2 (Trojan)
  • GAV: WannaCrypt.RSM.ar3 (Trojan)
  • GAV: WannaCrypt.RSM.ar4 (Trojan)
  • GAV: WannaCrypt.RSM.ar5 (Trojan)
  • GAV: WannaCrypt.RSM.ar6 (Trojan)
  • GAV: WannaCrypt.RSM.ar7 (Trojan)
  • GAV: WannaCrypt.RSM.7z1 (Trojan)
  • GAV: WannaCrypt.RSM.7z2 (Trojan)
  • GAV: WannaCrypt.RSM.7z3 (Trojan)
  • GAV: HydraCrypt.C (Trojan)
  • GAV: HydraCrypt.C_2 (Trojan)



Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
#SonicWall
© 2017 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 13.1 | S2MSW02