Last updated: 03/July/2017 1:39 PM NZST
02/July/2017 10:39 AM ADT

Hi all,

Due to the extended news on recent ransomeware outbreaks, below is a some advice that may help set your mind at rest.

This page helps you discover whether your computer(s) is(are) protected against "Wannacry" and what is now being called "Petya", but has also been called "NotPetya", "PetrWrap" and "exPetya".  The common element, is that these all rely on a known exploit in old versions of a Windows file called "srv.sys".  That file is replaced/updated in many different Windows Updates, so as long as your PC is automatically updating successfully, you're likely not to be vulnerable to this, and many similar attacks.

Remember, the golden rules for general behaviour and computer use are:

  • Set your PC to AUTOMATICALLY apply Windows Updates
  • Run reputable antivirus and keep it up to date - both the program and its “definitions” – so that’s often called “Upgrade” and “Update”!
    (Eset NOD32 is excellent and I can licence it for you)
  • Be vigilant when opening attachments or visiting unfamiliar websites!
  • MOST viruses/Malware/Ranswomware will arrive from a KNOWN CONTACT.  Their PC, once compromised, will email all their Contacts, which may well include YOU.  So, the key thing is to always be asking yourself "...would THEY send me THIS?"
  • If you see a pop-up Window from “User Account Control” asking whether to allow changes to your PC, and YOU did not initiate something, STOP!!!
  • Macintosh devices (Macbooks, iPads) are not vulnerable to this latest attack, nor the one in March.  HOWEVER there ARE attacks via macs and soon they'll be more popular, because Updates for Windows 10 Home are now compulsory, so the base of compromise-able PCs around the world is shrinking
  • The same is true of all variants of Linux

Regards, Joe.

 If you want to see if you are protected: 

  • This only affects Windows PCs
  • If you have your PC set to Update itself automatically, you should definitely be protected by now, assuming the updates are working :)
  • You can prove that this particular one is applied, as detailed below - most simply by verifying the version of file srv.sys.  Microsoft don’t make it easy via the KBXXXXXXX method!...
  • What follows below may look busy, but it boils down to grabbing some Windows version info, looking up that info in a KB article, then checking your PC for a given result

 Step 1 - finding your Windows Version 

This article lists details the bug this ransomeware (and the previous outbreak) exploits:

"Microsoft Security Bulletin MS17-010 - Critical"
https://technet.microsoft.com/library/security/MS17-010


This article details how to establish whether the fix for MS17-010 (above) is applied:

"How to verify that MS17-010 is installed"


In both articles, it is essential to know your Windows Version information.  Discover this as follows...

 Major Windows Version Name and 32 or 64 bit 

Most machines now have a "Windows" key on their keyboard:

Holding down the Windows Key then tapping Pause/Break(*) brings up Control Panel > All Control Panel Items > System, and that shows you what flavour you have (7, 8, 10, Home/Pro etc.) and whether you have a 32-bit or 64-bit Operating System...

(*) The Pause/Break key varies widely.  It is usually at top and towards the right, on laptops it is often combined on a Function (Fn) key & used with a Ctrl or Fn key combo!

NOTE: The "Processor" might be 64-bit, but you could still have a 32-bit "Operating System", and it is the "Operating System" bits that you need to know!

 Windows Version Number 
Next you need the Windows Version Number.  To find that, run  “winver”  from Start/Run or a CMD window, or just search for it...

 
 -or-

... and look for the Version # in the resulting Window...


...so in the example above, "1511" is the magic number!


 Step 2 - Is the Update applied? 

Two methods here.  1) Find and check the version of file srv.sys,  or 2) Establish that a KBXXXXXXX Update incorporating the fix to srv.sys has been applied/installed (much harder!)

 Method A - srv.sys version 

Open this "Microsoft Support article" and keep it handy...

When various different updates are installed, the end result is usually to replace core Operating System files.  Often these are loaded into working Memory during boot up, hence why we often have to restart a system to apply some updates and allow them to work.  In the case of this particular "exploit" the file %systemroot%\system32\drivers\srv.sys had a 'bug' and this is fixed in a particular release (and later releases) of said file.  Checking this confirms that it has been updated.

 Manual Check of srv.sys 
The manual way to check is to find the file and inspect it's properties.  %systemroot% is a system variable that usually equates to "C:\Windows".  You can enter the variable and path/file name into your Windows/File Explorer address bar. as " %systemroot%\system32\drivers\" (Windows 10 example shown)...


Once you see the file listed, right-click on it it and Select "Properties".  Select the "Details" tab and check the "File version" there (i.e. not the "Product version)...

So, in this case we read "10.0.10586.916" as our result.  We'll check that in the Microsoft Support article mentioned above.  Look for this section in that article:
"Method 2: Check by %systemroot%\system32\drivers\srv.sys file version".  In that table, look for your Windows version as described further above...

Look for the version number and compare it to what is on your system.  In the example shown, we look up Windows 10 version 1511 and see 
10.0.10586.839.  When we checked the file on our PC (above), it had version 10.0.10586.916 - a newer (higher number), which is good news :)

 Check of srv.sys by Powershell script 
It is quite easy to run the "Powershell" script in the Microsoft Support article.  Open the article and look for "PowerShell script"...
To save the script to a .ps1 file, copy all the text in the box, open Notepad, and paste the text there.  Add the following to the end, on the line after the #, which will enable a "pause" so that the results stay on screen :) ...

Write-Host ""
Write-Host "--------------------------------------------------"
Write-Host "Press any key to continue ..."
$x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")

Save the file, calling it "CheckSRV.ps1" or something similar, and in a place you can easily find it again, like your Desktop or your Downloads Folder.  NOTE: Because Windows Systems have a "hide file extension" option turned on by default, it is critical that when saving from Notepad, you select "Save as type:" ... "All Files", otherwise the system might add ".txt" on the end, then the script will not run!...

Now, find the saved script file in Windows/File Explorer, and double-click it... It will normally execute within "Windows Powershell" and display something like the following...

So, in this example, good news!  - "System is Patched"!


 Method B - KBXXXXXXX Installed 

This method is a bit tougher, but can work.  The frustrating thing is that there are multiple "Updates" of format KBXXXXXXX that Microsoft may have installed on your system, and it's very hard sometimes to find one of them actually installed.  Remember - if your system is successfully installing patches automatically, you should be OK anyway, as the machine will be up to date.  If in doubt regards this particular malware (Petya-based), the bottom line is the srv.sys file version (see methods to check this).

First you must establish your Windows version information, per above - such that you know whether it is Windows 7, 8 or 10, whether 32-bit or 64-bit, and what its version number is.  See above in " Step 1 - finding your Windows Version ".

Now you can look up some KBXXXXXXXX Updates that might be installed on your system.  The best page to use is...

"How to verify that MS17-010 is installed"
(Find your Windows version in the appropriate "Table")

...as it details how to establish whether the fix for MS17-010 (below) is applied.

This article details the explicit Updates first used to fix the file these particular Ransomeware outbreaks have exploited...

"Microsoft Security Bulletin MS17-010 - Critical"
(Look up your Windows version in the table, and check the KB article given - note it only has the #, not preceeded here by 'KB')

You may have to look at both articles, and check all KBXXXXXXX Updates possible for your PC.

To confirm that the relevant Update above is installed, you have to look for it as KBXXXXXXX (e.g. KB4012212).

The most common versions are: 
  • Windows 7 64-bit SP1, so that’s KB4012212 (shown in the table as just 4012212)
  • Windows 10 for x64-based Systems (KB4012606)
  • Windows 10 Version 1511 for x64-based Systems (KB4013198)
  • Windows 10 Version 1607 for x64-based Systems (KB4013429)

 To check whether a KBXXXXXXX Update is installed: 

In Windows 7, run Control Panel > Programs > Programs and Features and look for the hyperlink at left “View installed updates”.  Click that.  Then, in the search box at top right, search for your KBXXXXXXX item.  Note – you can’t search for only part of it, such as KB401 or something, that won’t work.  The whole string only.  You should find something like:
In Windows 10, use the “Search” near the Windows Start Button (bottom left) and type in Updates… look for “View installed updates” and run that.  This should put you in  Control Panel > All Control Panel Items > Programs and Features >  Installed Updates.  Then, in the search box at top right, search for your KBXXXXXXX item.  Note – you can’t search for only part of it, such as KB401 or something, that won’t work. The whole string only!

NOTE re Windows 10 v 1607:  It is very hard to find the appropriate install on this version of Windows.  There is a second place to look for Update History.  Use the “Search” near the Windows Start Button again (bottom left) and type in Updates again, but this time select "Windows Update settings" (it shows this as being in "System settings").  Once there look for this link, "Update history"...
You should see a screen a bit like this:

The highlighted KB4019472 in this example, does indeed correspond to the same KB mentioned in Table 1 on page 

Thanks Microsoft - that was so easy.

I hope this helps.  Joe!  Please contact me as you wish, per the Contact page...

[End]