Adylkuzz is a Trojan that uses the same vulnerability as WannaCry ransomware

Symantec has captured through its IPS systems a computer Trojan Adylkuzz, which uses the same vulnerability (MS17-010) as WannaCry in the SMB protocol in the first version. For now, from the 44 million attempts to use MS17-10 vulnerability, only 200 computers have been infected with Adylkuzz.

The purpose of Adylkuzz malware is to kick Monero cryptocurrency. The system installs the " cpuminer " program, and the Monero extraction operations show a clear CPU load. Of course, this translates into serious performance problems.

To verify the security of computers, we recommend scanning the entire operating system with one of the scanners at the forefront of our tests , as well as using Process Monitor, which will generate "tons" of system events byte by byte on the default filter settings. Searching the logs for specific strings can reveal the infection:

The Trojan creates new files:

% ProgramFiles% \ Hardware Driver Management \ windriver.exe

% Windir% \ Fonts \ wuauser.exe 

Gets next to the location:

% ProgramFiles% \ Microsoft.NET \ Primary Interop Assemblies \ LMS.dat

% Windir% \ Fonts \ msiexev.exe 

Runs the services:



Saves the logs:

% Temp% \ [RANDOM CHARACTERS] ._ Miner_.log 

More technical details including Symantec made available about network communication.

The protocol in the SMBv1 version should be turned off ( see how to do it ), take advantage of a newer solution or alternative applications of a similar type. Certainly, the EternalBlue exploit used by the NSA (and which got into the network) will be used in many ways.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.