My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to the news list

Doctor Web: Our users didn’t fall victim to the WannaCry encoder

May 15, 2017

On Friday, May 12, computers throughout the world were attacked by Trojan.Encoder.11432, which is also known as WannaCry, WannaCryptor, WanaCrypt0r, WCrypt, WCRY and WNCRY. The victims were government and commercial organizations and private individuals. Users of Dr.Web software have been and remain safe.

The very first modification of the Trojan known to Dr.Web (Wanna Decryptor 1.0) was analyzed in Doctor Web’s laboratory on March 27, 2017, at 07:20 a.m. and was added to virus databases at 11:51 a.m., later that same day.

Trojan.Encoder.11432, which is also known as WannaCry, started actively spreading on Friday evening, and by the weekend it had infected computers of large organizations all over the world.

Doctor Web obtained its sample on May 12 at 10:45 a.m. and added it to the Dr.Web virus databases.

Before it was added to the database, Dr.Web had detected the Trojan as BACKDOOR.Trojan.

The Trojan itself is a multi-component encoder named Trojan.Encoder.11432. It includes the following four components: a network worm, an encoder dropper, an encoder and the author’s encoder.

Trojan.Encoder.11432 encrypts files on an infected computer and demands a ransom for their decryption. The money must be transferred to the specified e-wallets in Bitcoin cryptocurrency.

The mass proliferation of the Trojan is being caused by a vulnerability in the SMB protocol. All Windows operating systems older than version 10 are subject to this vulnerability. Trojan.Encoder.11432 didn’t pose any threat to our users from the moment it started spreading.

To eliminate any chance of your computers getting infected with this Trojan, we recommend that you do the following:

  • Install the MS17-010 update for your operating system, which is available at, and all current security updates;
  • Update the Anti-virus;
  • Close attacked network ports (139, 445), using the firewall;
  • Disable the attacked and vulnerable service of the operating system;
  • Forbid the installation and running of new software (executable files);
  • Remove excessive user rights (rights for launching and installing new software);
  • Delete unnecessary services in the system;
  • Forbid access to the Tor network.

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments