Perfc - NotPetya/Petna/Petya Vaccine (alpha)
Log In or Register to download the BES file, and more.

0 Votes

Versioning - This is the latest version.

1Perfc - NotPetya/Petna/Petya Vaccine (alpha)6/29/2017 4:53:08 AM
2Perfc - NotPetya/Petna/Petya Vaccine (alpha)6/29/2017 5:00:23 AM
3Perfc - NotPetya/Petna/Petya Vaccine (alpha)6/29/2017 5:00:27 AM

Description

NotPetya/Petna/Petya Vaccine (alpha)

reference:
https://www.bleepingcomputer.com/news/security/vaccine-not-killswitch-found-for-petya-notpetya-ransomware-outbreak/

acknowledgement:
https://twitter.com/LawrenceAbrams

Create readonly files perfc perfc.dat perfc.dll in C:\Windows directory

Disclaimer: Provided 'as-is'

THE SAMPLE CODE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS OF THIS CODE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) SUSTAINED BY YOU OR A THIRD PARTY, HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ARISING IN ANY WAY OUT OF THE USE OF THIS SAMPLE CODE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.


Property Details

ID24569
StatusAlpha - Code that was just developed
TitlePerfc - NotPetya/Petna/Petya Vaccine (alpha)
DomainBESC
SourceInternal
Source Release Date6/29/2017 12:00:00 AM
KeywordsPerfc NotPetya Petna Petya Vaccine alpha
Added by on 6/29/2017 5:00:27 AM
Last Modified by on 6/29/2017 5:00:27 AM
Counters 3061 Views / 15 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Relevance

Used in 254 fixlets and 9 analyses   * Results in a true/false
Show indented relevance
name of operating system as lowercase starts with "win"
Used in 3 fixlets   * Results in a true/false
Show indented relevance
not exists file "perfc" of folder "c:\windows"
Used in 3 fixlets   * Results in a true/false
Show indented relevance
not exists file "perfc.dll" of folder "c:\windows"
Used in 3 fixlets   * Results in a true/false
Show indented relevance
not exists file "perfc.dat" of folder "c:\windows"

Actions

Action 1 (default)

Action Link Click here to deploy this action.
Script Type BigFix Action Script
// Disclaimer: Provided 'as-is'
// THE SAMPLE CODE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS OF THIS CODE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) SUSTAINED BY YOU OR A THIRD PARTY, HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ARISING IN ANY WAY OUT OF THE USE OF THIS SAMPLE CODE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.


if {not exists file "perfc" of folder "c:\windows"}
delete __createfile
createfile until _endFile
#BigFix NotPetya/Petna/Petya Vaccine (alpha)
_endFile
copy __createfile c:\windows\perfc
endif

if {not exists file "perfc2.dll" of folder "c:\windows"}
delete __createfile
createfile until _endFile
#BigFix NotPetya/Petna/Petya Vaccine (alpha)
_endFile
copy __createfile c:\windows\perfc.dll
endif

if {not exists file "perfc2.dat" of folder "c:\windows"}
delete __createfile
createfile until _endFile
#BigFix NotPetya/Petna/Petya Vaccine (alpha)
_endFile
copy __createfile c:\windows\perfc.dat
endif

waithidden cmd.exe /C attrib +R "c:\windows\perfc"
waithidden cmd.exe /C attrib +R "c:\windows\perfc.dll"
waithidden cmd.exe /C attrib +R "c:\windows\perfc.dat"
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.


Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!
jgstew -
you don't want to only rely on the files existing or not, because what if the bad versions of the files exist? Better to have relevance that checks the contents of the files and an action that overwrites them... though overwriting things in the windows folder isn't ideal if it ever gets used for something real in the future... though that seems unlikely.
jgstew -
3 != number of (files "perfc.dll" of it; files "perfc.dll" of it; files "perfc.dat" of it) whose(exists lines of it containing "Vaccine") of windows folders
jgstew -
dos echo #BigFix NotPetya/Petna/Petya Vaccine (alpha) > c:\windows\perfc
aurora -
Thank you Ian Wheatley for your help!