Adylkuzz is a Trojan that uses the same vulnerability as WannaCry ransomware
Symantec has captured through its IPS systems a computer Trojan Adylkuzz, which uses the same vulnerability (MS17-010) as WannaCry in the SMB protocol in the first version. For now, from the 44 million attempts to use MS17-10 vulnerability, only 200 computers have been infected with Adylkuzz.
The purpose of Adylkuzz malware is to kick Monero cryptocurrency. The system installs the " cpuminer " program, and the Monero extraction operations show a clear CPU load. Of course, this translates into serious performance problems.
To verify the security of computers, we recommend scanning the entire operating system with one of the scanners at the forefront of our tests , as well as using Process Monitor, which will generate "tons" of system events byte by byte on the default filter settings. Searching the logs for specific strings can reveal the infection:
The Trojan creates new files:
% ProgramFiles% \ Hardware Driver Management \ windriver.exe % Windir% \ Fonts \ wuauser.exe
Gets next to the location:
% ProgramFiles% \ Microsoft.NET \ Primary Interop Assemblies \ LMS.dat % Windir% \ Fonts \ msiexev.exe
Runs the services:
Saves the logs:
% Temp% \ [RANDOM CHARACTERS] ._ Miner_.log
More technical details including Symantec made available about network communication.
The protocol in the SMBv1 version should be turned off ( see how to do it ), take advantage of a newer solution or alternative applications of a similar type. Certainly, the EternalBlue exploit used by the NSA (and which got into the network) will be used in many ways.
Learn more about our offer
We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.