Last updated: 03/July/2017 1:39 PM NZST Hi all, Due to the extended news on recent ransomeware outbreaks, below is a some advice that may help set your mind at rest. This page helps you discover whether your computer(s) is(are) protected against "Wannacry" and what is now being called "Petya", but has also been called "NotPetya", "PetrWrap" and "exPetya". The common element, is that these all rely on a known exploit in old versions of a Windows file called "srv.sys". That file is replaced/updated in many different Windows Updates, so as long as your PC is automatically updating successfully, you're likely not to be vulnerable to this, and many similar attacks. Remember, the golden rules for general behaviour and computer use are:
Regards, Joe. If you want to see if you are protected:
Step 1 - finding your Windows Version This article lists details the bug this ransomeware (and the previous outbreak) exploits: "Microsoft Security Bulletin MS17-010 - Critical" https://technet.microsoft.com/library/security/MS17-010 This article details how to establish whether the fix for MS17-010 (above) is applied: "How to verify that MS17-010 is installed" In both articles, it is essential to know your Windows Version information. Discover this as follows... Major Windows Version Name and 32 or 64 bit Holding down the Windows Key then tapping Pause/Break(*) brings up
Control Panel > All Control Panel Items > System, and that shows you what flavour you have (7, 8, 10, Home/Pro etc.) and whether you have a 32-bit or 64-bit Operating System... (*) The Pause/Break key varies widely. It is usually at top and towards the right, on laptops it is often combined on a Function (Fn) key & used with a Ctrl or Fn key combo! NOTE: The "Processor" might be 64-bit, but you could still have a 32-bit "Operating System", and it is the "Operating System" bits that you need to know! Windows Version Number Next you need the Windows Version Number. To find that,
run “winver” from Start/Run or a CMD window, or just search for it... ... and look for the Version # in the resulting Window... ...so in the example above, "1511" is the magic number! Step 2 - Is the Update applied? Two methods here. 1) Find and check the version of file srv.sys, or 2) Establish that a KBXXXXXXX Update incorporating the fix to srv.sys has been applied/installed (much harder!) Method A - srv.sys version Open this "Microsoft Support article" and keep it handy... "How to verify that MS17-010 is installed" When various different updates are installed, the end result is usually to replace core Operating System files. Often these are loaded into working Memory during boot up, hence why we often have to restart a system to apply some updates and allow them to work. In the case of this particular "exploit" the file %systemroot%\system32\drivers\srv.sys had a 'bug' and this is fixed in a particular release (and later releases) of said file. Checking this confirms that it has been updated. Manual Check of srv.sys The manual way to check is to find the file and inspect it's properties. %systemroot% is a system variable that usually equates to "C:\Windows". You can enter the variable and path/file name into your Windows/File Explorer address bar. as " %systemroot%\system32\drivers\" (Windows 10 example shown)... Once you see the file listed, right-click on it it and Select "Properties". Select the "Details" tab and check the "File version" there (i.e. not the "Product version)... So, in this case we read "10.0.10586.916" as our result. We'll check that in the Microsoft Support article mentioned above. Look for this section in that article: "Method 2: Check by %systemroot%\system32\drivers\srv.sys file version". In that table, look for your Windows version as described further above... Look for the version number and compare it to what is on your system. In the example shown, we look up Windows 10 version 1511 and see 10.0.10586.839. When we checked the file on our PC (above), it had version 10.0.10586.916 - a newer (higher number), which is good news :) Check of srv.sys by Powershell script It is quite easy to run the "Powershell" script in the Microsoft Support article. Open the article and look for "PowerShell script"... To save the script to a .ps1 file, copy all the text in the box, open Notepad, and paste the text there. Add the following to the end, on the line after the #, which will enable a "pause" so that the results stay on screen :) ... Write-Host "" Write-Host "--------------------------------------------------" Write-Host "Press any key to continue ..." $x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") Save the file, calling it "CheckSRV.ps1" or something similar, and in a place you can easily find it again, like your Desktop or your Downloads Folder. NOTE: Because Windows Systems have a "hide file extension" option turned on by default, it is critical that when saving from Notepad, you select "Save as type:" ... "All Files", otherwise the system might add ".txt" on the end, then the script will not run!... Now, find the saved script file in Windows/File Explorer, and double-click it... It will normally execute within "Windows Powershell" and display something like the following... So, in this example, good news! - "System is Patched"! Method B - KBXXXXXXX Installed This method is a bit tougher, but can work. The frustrating thing is that there are multiple "Updates" of format KBXXXXXXX that Microsoft may have installed on your system, and it's very hard sometimes to find one of them actually installed. Remember - if your system is successfully installing patches automatically, you should be OK anyway, as the machine will be up to date. If in doubt regards this particular malware (Petya-based), the bottom line is the srv.sys file version (see methods to check this). First you must establish your Windows version information, per above - such that you know whether it is Windows 7, 8 or 10, whether 32-bit or 64-bit, and what its version number is. See above in " Step 1 - finding your Windows Version ". Now you can look up some KBXXXXXXXX Updates that might be installed on your system. The best page to use is...
...as it details how to establish whether the fix for MS17-010 (below) is applied. This article details the explicit Updates first used to fix the file these particular Ransomeware outbreaks have exploited...
You may have to look at both articles, and check all KBXXXXXXX Updates possible for your PC. To confirm that the relevant Update above is installed, you have to look for it as KBXXXXXXX (e.g. KB4012212). The most common versions are: To check whether a KBXXXXXXX Update is installed: In Windows 7, run Control Panel > Programs > Programs and Features and look for the hyperlink at left “View installed updates”. Click that. Then, in the search box at top right, search for your KBXXXXXXX item. Note – you can’t search for only part of it, such as KB401 or something, that won’t work. The whole string only. You should find something like: In Windows 10, use the “Search” near the Windows Start Button (bottom left) and type in Updates… look for “View installed updates” and run that. This should put you in Control Panel > All Control Panel Items > Programs and Features > Installed Updates. Then, in the search box at top right, search for your KBXXXXXXX item. Note – you can’t search for only part of it, such as KB401 or something, that won’t work. The whole string only! NOTE re Windows 10 v 1607: It is very hard to find the appropriate install on this version of Windows. There is a second place to look for Update History. Use the “Search” near the Windows Start Button again (bottom left) and type in Updates again, but this time select "Windows Update settings" (it shows this as being in "System settings"). Once there look for this link, "Update history"... The highlighted KB4019472 in this example, does indeed correspond to the same KB mentioned in Table 1 on page Thanks Microsoft - that was so easy. I hope this helps. Joe! Please contact me as you wish, per the Contact page... [End] |