cleaning wannamine

Welcome Forums General PowerShell Q&A cleaning wannamine

This topic contains 1 reply, has 1 voice, and was last updated by

 
Participant
8 months, 4 weeks ago.

  • Author
    Posts
  • #94263

    Participant
    Points: 1
    Rank: Member

    Hi all,

    Does someone struggle with wannamine malware currently? I've created a function to clear it, but unfortunately I don't have "fully infected" machine anymore to test it out. The instruction here: https://community.spiceworks.com/topic/2080003-malicious-powershell-script-causing-100-cpu-load-solved?page=1 did not solve it for us, but it was a good start.

    I don't want to give out the script yet before it has been tested in f-secure's lab.

    Per our observations the malware does not work if you block connections to the control servers and you run
    ([WmiClass] 'root\default:Win32_Services') | Remove-wmiobject -Verbose

    Control servers from two versions of the wannamine I've seen:
    '195.22.127.157', '93.174.93.73'
    '195.22.127.157', 'node.jhshxbv.com', 'node2.jhshxbv.com', 'node3.jhshxbv.com', 'node4.jhshxbv.com'

    Latest version of the function is now in https://github.com/AapeliH/clear-wannamine

  • #94318

    Participant
    Points: 1
    Rank: Member
    function Clear-WannaMine
    {
    
    
        [CmdletBinding()]
        Param
        (
            # Set path for the Log location
            [Parameter(Mandatory=$false,
                       ValueFromPipelineByPropertyName=$true)]
            $LogPath='c:\temp\wannamine',
    
            # Use this to log all the objects that this script would remove
            [Parameter(Mandatory=$false)]
            [switch]
            $logOnly
        )
    
        Begin
            {
            Write-output "spinning up the clear-wannamine"
            $date = (get-date -Format "yyyyMMdd-HHmmss" )
            if (-not (test-path $LogPath)) {new-item -Path $LogPath -ItemType Directory -Confirm:$false -Force -Verbose}
            
            get-process powershell | where {$_.id -ne $PID} | Stop-Process -Confirm:$false -Verbose 
            
            }
        Process
            {
    
            #Logging
            $commandlineObjects      = Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -ErrorAction SilentlyContinue | fl commandlinetemplate, name, workingdirectory, __path, __namespace
            $FilterToConsumerBinding = Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding  -ErrorAction SilentlyContinue| fl *
            $EventFilter             = Get-WMIObject -Namespace root\Subscription -Class __EventFilter  -ErrorAction SilentlyContinue| fl __namespace,path,query,name
            $Win32_Services          = Get-WMIObject -Namespace root\default -Class Win32_Services -ErrorAction SilentlyContinue | fl *
            
    
            switch ($logOnly.IsPresent) {
            
                $true {
                    
                        $commandlineObjects       | out-file "$LogPath\$($date)_logging_CommandLineEventConsumer.txt" 
                        $FilterToConsumerBindings | out-file "$LogPath\$($date)_logging_FilterToConsumerBinding.txt"
                        $EventFilters             | out-file "$LogPath\$($date)_logging_EventFilter.txt"
                        $Win32_Services           | out-file "$LogPath\$($date)_logging_Win32_Services.txt"
    
                        } #True
            
                $false {
                        
                        Write-Output "starting cleanup"
    
    
                        if ($commandlineObjects) {
                            foreach ($commandlineObject in $commandlineObjects) {
                                
                                $commandlineObjects | out-file "$LogPath\$($date)_PreClean_CommandLineEventConsumer.txt" 
                                Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name= $($commandlineObject.name)" | Remove-WMIObject -Verbose
                                
                                }
                        }
    
                        if ($FilterToConsumerBindings) {
    
                            foreach ($FilterToConsumerBinding in $FilterToConsumerBindings) {
                                
                                $FilterToConsumerBindings | out-file "$LogPath\$($date)_PreClean_FilterToConsumerBinding.txt"
                                Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "Name= $($commandlineObject.name)" | Remove-WMIObject -Verbose
                                
                                }
                        }
    
                        if ($EventFilters) {
                            foreach ($EventFilter in $EventFilters) {
                                
                                $EventFilters | out-file "$LogPath\$($date)_PreClean_EventFilter.txt"
                                Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name= $($commandlineObject.name)" | Remove-WMIObject -Verbose
                                
                                }
                        }
                        
                        if ($Win32_Services) {
    
                            $Win32_Services | out-file "$LogPath\$($date)_PreClean_Win32_Services.txt"
                            Get-WMIObject -Namespace root\default -Class Win32_Services | Remove-WMIObject -Verbose
                            
                            }
    
                        $commandlineObjects      = Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer  -ErrorAction SilentlyContinue| fl commandlinetemplate, name, workingdirectory, __path, __namespace
                        $FilterToConsumerBinding = Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding  -ErrorAction SilentlyContinue| fl *
                        $EventFilter             = Get-WMIObject -Namespace root\Subscription -Class __EventFilter  -ErrorAction SilentlyContinue| fl __namespace,path,query,name
                        $Win32_Services          = Get-WMIObject -Namespace root\default -Class Win32_Services -ErrorAction SilentlyContinue | fl *
    
                        $commandlineObjects       | out-file "$LogPath\$($date)_PostClean_CommandLineEventConsumer.txt" 
                        $FilterToConsumerBindings | out-file "$LogPath\$($date)_PostClean_FilterToConsumerBinding.txt"
                        $EventFilters             | out-file "$LogPath\$($date)_PostClean_EventFilter.txt"
                        $Win32_Services           | out-file "$LogPath\$($date)_PostClean_Win32_Services.txt"
    
                    } #Default
            
                } # End switch
    
            }
        End
            {
            Write-output "Clear-Wannamine is finished"
            }
    }
    

The topic ‘cleaning wannamine’ is closed to new replies.