Satoshi Nakamoto Blog
Image default
Ransomware Wannacry Patch WannaCrypt Ransomware

How to Ensure Wannacry Patch is Installed Correctly On Your Machine

They say WannaCrypt does not infect XP machines but looks like the problem appears on Windows7 machines with no Wanna cry patch. We have seen the devastating cyber attack that crippled computers in UK hospitals, and the UK NHS citing their machines was not patched for WannyCry.

Microsoft statement during that time was “that those using Windows 10 were not infected,” though we cannot confirm this statement, it is clear that those who have installed Windows patch for WannaCry were not rigged.

The WannaCrypt ransomware is exploiting one of the vulnerabilities that are part of the MS17-010 update. Computers that do not have WannaCry windows patch are at heightened risk because of several strains of malware.

In a huge organization with hundreds of computer running on Window, checking the correct patch for WannaCry could be taxing.

Security update MS17–010 addresses several vulnerabilities in Windows SMB v1 exploited by the WannaCrypt ransomware.

How to make sure all of the computers with Windows 7 are patched for WannaCry correctly, and good it will be if you have those KB numbers as well.

However, the KB that contains that update differs between Windows versions, and sometimes it could be included in service packs or cumulative updates: it can be taxing!

Have a look here

However, the other way to check the correct patching:

The MS17–010 installs a patched version of %systemroot%system32driverssrv.sys.

You can check the file version and compare it with this list:

Windows XP: 5.1.2600.7208
Windows Server 2003 SP2: 5.2.3790.6021
Windows Vista,Windows Server 2008 SP2: GDR:6.0.6002.19743, LDR:6.0.6002.24067
Windows 7, Windows Server 2008 R2: 6.1.7601.23689
Windows 8, Windows Server 2012:6.2.9200.22099
Windows 8.1, Windows Server 2012 R2: 6.3.9600.18604
Windows 10 TH1 v1507: 10.0.10240.17319
Windows 10 TH2 v1511: 10.0.10586.839
Windows 10 RS1 v1607,Windows Server 2016: 10.0.14393.953

If the version installed on our system is equal or major of the version in the list, the OS is correctly patched.

Automate it!

The srv.sys file version can be simply extracted using wmic:

C:>WMIC DATAFILE WHERE name="c:windowssystem32driverssrv.sys" get Version /format:Textvaluelist

Output on Windows 10

The above command can be included in a batch script that compare the correct version of the file.

Visit the Microsoft support that has a powershell script that automate the entire process:

$os = Get-WmiObject -class Win32_OperatingSystem
$osName = $os.Caption
$s = "%systemroot%system32driverssrv.sys"
$v = [System.Environment]::ExpandEnvironmentVariables($s)
If (Test-Path "$v")


$versionInfo = (Get-Item $v).VersionInfo
$versionString = "$($versionInfo.FileMajorPart).$($versionInfo.FileMinorPart).$($versionInfo.FileBuildPart).$($versionInfo.FilePrivatePart)"
$fileVersion = New-Object System.Version($versionString)


Write-Host "Unable to retrieve file version info, please verify vulnerability state manually." -ForegroundColor Yellow


Write-Host "Srv.sys does not exist, please verify vulnerability state manually." -ForegroundColor Yellow

if ($osName.Contains("Vista") -or ($osName.Contains("2008") -and -not $osName.Contains("R2")))

if ($versionString.Split('.')[3][0] -eq "1")

$currentOS = "$osName GDR"
$expectedVersion = New-Object System.Version("6.0.6002.19743")

elseif ($versionString.Split('.')[3][0] -eq "2")

$currentOS = "$osName LDR"
$expectedVersion = New-Object System.Version("6.0.6002.24067")


$currentOS = "$osName"
$expectedVersion = New-Object System.Version("9.9.9999.99999")

elseif ($osName.Contains("Windows 7") -or ($osName.Contains("2008 R2")))

$currentOS = "$osName LDR"
$expectedVersion = New-Object System.Version("6.1.7601.23689")

elseif ($osName.Contains("Windows 8.1") -or $osName.Contains("2012 R2"))

$currentOS = "$osName LDR"
$expectedVersion = New-Object System.Version("6.3.9600.18604")

elseif ($osName.Contains("Windows 8") -or $osName.Contains("2012"))

$currentOS = "$osName LDR"
$expectedVersion = New-Object System.Version("6.2.9200.22099")

elseif ($osName.Contains("Windows 10"))

if ($os.BuildNumber -eq "10240")

$currentOS = "$osName TH1"
$expectedVersion = New-Object System.Version("10.0.10240.17319")

elseif ($os.BuildNumber -eq "10586")

$currentOS = "$osName TH2"
$expectedVersion = New-Object System.Version("10.0.10586.839")

elseif ($os.BuildNumber -eq "14393")

$currentOS = "$($osName) RS1"
$expectedVersion = New-Object System.Version("10.0.14393.953")

elseif ($os.BuildNumber -eq "15063")

$currentOS = "$osName RS2"
"No need to Patch. RS2 is released as patched. "

elseif ($osName.Contains("2016"))

$currentOS = "$osName"
$expectedVersion = New-Object System.Version("10.0.14393.953")

elseif ($osName.Contains("Windows XP"))

$currentOS = "$osName"
$expectedVersion = New-Object System.Version("5.1.2600.7208")

elseif ($osName.Contains("Server 2003"))

$currentOS = "$osName"
$expectedVersion = New-Object System.Version("5.2.3790.6021")


Write-Host "Unable to determine OS applicability, please verify vulnerability state manually." -ForegroundColor Yellow
$currentOS = "$osName"
$expectedVersion = New-Object System.Version("9.9.9999.99999")

Write-Host "`n`nCurrent OS: $currentOS (Build Number $($os.BuildNumber))" -ForegroundColor Cyan
Write-Host "`nExpected Version of srv.sys: $($expectedVersion.ToString())" -ForegroundColor Cyan
Write-Host "`nActual Version of srv.sys: $($fileVersion.ToString())" -ForegroundColor Cyan
If ($($fileVersion.CompareTo($expectedVersion)) -lt 0)

Write-Host "`n`n"
Write-Host "System is NOT Patched" -ForegroundColor Red


Write-Host "`n`n"
Write-Host "System is Patched" -ForegroundColor Green

Set the execution policy to ‘unrestricted’ in order to correctly execute the script.

Source link

Related posts

Malware Crypto Ransoms Rose By Almost 90% in Q1: Report


Maze Ransomware is Getting Smarter – 3 Ways to Fight Back


The US Government Is Powerless to Block Bitcoin Addresses


New York City College Struck by Ransomware, $1.9 Million in Bitcoin Demanded


Fundamental Actions Regarding Ransomware – Hacker Combat


Feds called in as the Port of San Diego is crippled by a ransomware attack