If you’re already been infected by WannaCry infection maybe you should block these ports to avoid any damage to your computer. Let’s start by blocking some ports.
Ports to block. info about these ports here: read
- 445 “This port replaces the notorious Windows NetBIOS trio (ports 137-139), for all versions of Windows after NT, as the preferred port for carrying Windows file sharing and numerous other services.”
- 137
- 138
- 139
Step 1: How to block these ports to prevent WannaCry?
You can do it by making some changes to your registry.
- Click “Start”, “Run”, type “regedit” to open the registry.
- Locate the registry key “HKEY_LOCAL_MACHINE\System\Controlset\Services\NetBT\Parameters”
- Select “Parameters” New Right “DWORD Value.”
- Rename the DWORD value as “SMBDeviceEnabled”
- Right-click “SMBDeviceEnabled” select “Edit” in the “numerical data”, “0”
|
1 2 3 4 5 |
Hive: HKEY_LOCAL_MACHINE Key: System\CurrentControlSet\Services\NetBT\Parameters Name: SMBDeviceEnabled Type: REG_DWORD Value: 0 |
After completing step 1 you have to restart your computer and when your boot up completly now you have to make sure if that port us closed or not you can simply do it through CMD.
|
1 |
netstat -an | findstr 445 |
As you can see in the above screenshot mine is listening.. because i haven’t closed it for this article. And im not infected with WannaCry.. If you are infected with that you must have an established connection with there servers.
Step 2: Configure Firewall to Prevent WannaCry?
What dose Firewall do to prevent this infected ports?
Basically it will prevent you to established connection with that infected servers which WannaCry is using And prevent you to connect to 445 port. So you need to add some inbound rules to block access for these ports.
Firewall Advanced Settings – Inbound rules – Right-click New Rule – Select UDP, the port number in the dialog box to write 445.
Step 3: Shut down the server service
Once your done with the firewall you have to stop those services which is using that port. In order to do that, Open up CMD with Administrator Permission.
Type:
|
1 |
net stop server |
After that you need to restart your computer again.
Disable SMBv1
WannaCryToolkit scanner and removal toolkit
Trustlook has released a scanner and removal toolkit to help system administrators protect Windows computers that are either vulnerable to or have been infected with the dangerous strain of ransomware known as WannaCry.
Installation:
|
1 2 3 |
git clone https://github.com/apkjet/TrustlookWannaCryToolkit.git cd TrustlookWannaCryToolkit/scanner/ pip install -r requirements.txt |
Usage:
|
1 2 3 4 5 6 7 8 |
Usage: wannacry_tlscan.py host/network Example: wannacry_tlscan.py 192.168.0.100 wannacry_tlscan.py 192.168.0.0/24 Single host scan wannacry_tlscan.py 192.168.0.100 Single a network wannacry_tlscan.py 192.168.0.0/24 |
1. Run
tl_wannacry_console.exe and tl_wannacry_no_console.exe prevent WannaCry Ransomeware to encrypt user’s files.
The two tools works pretty much the same, except tl_wannacry_console.exe comes with a console to show some progress information. tl_wannacry_no_console.exe runs in background.
Users may want to add tl__wannacry_no_console.exe to Windows startup script, so everytime user start his computer, Trustlook WannaCry Vaccine Tool will start prevent your system from being affected.
2. Add to Windows startup script
add tl_wannacry_no_console.exe value to following register script
Add to windows startup script:
|
1 2 3 4 |
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce |
