Description
Your PC has been subjected to the "DoublePulsar" attack, used by the infamous "WannaCry" ransomware worm. On the affected PC, a malicious, NSA-derived backdoor called "DoublePulsar" has been silently installed over the network. WannaCry (WanaCrypt0r) ransomware performed the same type of attack and infected thousands of computers worldwide on May 12th, 2017.
Follow the instructions in Solution to remove the "DoublePulsar" backdoor and prevent WannaCry and further threats of this nature from infecting your PC again.
Solution
To solve this problem, immediately install the MS17-010 security update on the affected system after a restart and while disconnected from the network. Select your Windows version to view further instructions on how to fix the problem:
Details
We have identified the following problem with a PC in your network:
"DoublePulsar" backdoor code resident in memory
Severity: High
Reference: MS17-010 | CVE-2017-0143
Description:
Your PC is infected as it currently has the "DoublePulsar" backdoor code resident in memory. An attacker or a worm has planted it there and the backdoor is listening for commands, which can include installing malware (such as the infamous "WannaCry" ransomware) or stealing sensitive information. This backdoor attack code leaked from the NSA in April 2017 and has adapted into multiple strains of malware that infect unpatched systems worldwide.
We recommend performing the above removal steps immediately. It is important to restart the device while disconnected from the network. Restarting drops the backdoor code from memory and being disconnected from the network prevents the PC from being re-infected before the patch is applied.
The infection occurred because this PC is running an outdated version of the Windows File and Printer Sharing service (SMB), which contains a vulnerability known as EternalBlue, designated CVE-2017-0143. This vulnerability allows for remote code execution over the network. This means that if file sharing is on and TCP port 445 is not blocked by a firewall, a malicious actor can use the exploit code to remotely gain control over the PC and potentially install malware. On the PC that your network scan found, this exploit code is already present.
Microsoft released a fix for the EternalBlue vulnerability for Windows 10, Windows 8.1, Windows 7, and Windows Vista in security bulletin MS17-010, issued in March 2017, and for Windows 8 and Windows XP in May 2017. Applying this fix correctly while restarting the PC to remove the current infection will patch the vulnerability and prevent further infections of this nature.
The "DoublePulsar" attack was used on a large scale on May 12 2017, when the WannaCry (WanaCrypt0r) ransomware worm abused the vulnerability and exploit to infect thousands of computers worldwide. You can find more information about the ransomware attack on our blog:
In technical details, the EternalBlue vulnerability affects unpatched implementations of the first version of the SMB protocol (commonly known as SMBv1). SMBv2 and newer, which are available from Windows 7 onwards, are not affected. However, even newer systems still have SMBv1 support and should be immediately patched or at least have SMBv1 disabled.
All Microsoft Windows versions from Windows XP to Windows 10 Anniversary Update are potentially affected. Other operating systems running different implementations of the SMB protocol (such as Samba on Linux) are not vulnerable to this attack.
Recommendation:
Apply the MS17-010 security update that addresses the issue. Only do so while disconnected from the network and after a restart.
If the affected PC is another PC in your network and it doesn’t have Avast installed, the ‘DoublePulsar’ backdoor could have installed malware on it, possibly even the infamous WannaCry ransomware. Install Avast Free Antivirus and run a Boot-time scan on it to remove any potential threats.
Both