Your browser is obsolete!

The page may not load correctly.

Free trial
Dr.Web for Android

Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support

Send a message

Call us

+7 (495) 789-45-86

Forum
Profile

Back to news

Doctor Web: Our users didn’t fall victim to the WannaCry encoder

May 15, 2017

On Friday, May 12, computers throughout the world were attacked by Trojan.Encoder.11432, which is also known as WannaCry, WannaCryptor, WanaCrypt0r, WCrypt, WCRY and WNCRY. The victims were government and commercial organizations and private individuals. Users of Dr.Web software have been and remain safe.

The very first modification of the Trojan known to Dr.Web (Wanna Decryptor 1.0) was analyzed in Doctor Web’s laboratory on March 27, 2017, at 07:20 a.m. and was added to virus databases at 11:51 a.m., later that same day.

Trojan.Encoder.11432, which is also known as WannaCry, started actively spreading on Friday evening, and by the weekend it had infected computers of large organizations all over the world.

Doctor Web obtained its sample on May 12 at 10:45 a.m. and added it to the Dr.Web virus databases.

Before it was added to the database, Dr.Web had detected the Trojan as BACKDOOR.Trojan.

The Trojan itself is a multi-component encoder named Trojan.Encoder.11432. It includes the following four components: a network worm, an encoder dropper, an encoder and the author’s encoder.

Trojan.Encoder.11432 encrypts files on an infected computer and demands a ransom for their decryption. The money must be transferred to the specified e-wallets in Bitcoin cryptocurrency.

The mass proliferation of the Trojan is being caused by a vulnerability in the SMB protocol. All Windows operating systems older than version 10 are subject to this vulnerability. Trojan.Encoder.11432 didn’t pose any threat to our users from the moment it started spreading.

To eliminate any chance of your computers getting infected with this Trojan, we recommend that you do the following:

  • Install the MS17-010 update for your operating system, which is available at technet.microsoft.com/en-us/library/security/ms17-010.aspx, and all current security updates;
  • Update the Anti-virus;
  • Close attacked network ports (139, 445), using the firewall;
  • Disable the attacked and vulnerable service of the operating system;
  • Forbid the installation and running of new software (executable files);
  • Remove excessive user rights (rights for launching and installing new software);
  • Delete unnecessary services in the system;
  • Forbid access to the Tor network.

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2017

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040