How to Ensure Wannacry Patch is Installed Correctly On Your Machine
They say WannaCrypt does not infect XP machines but looks like the problem appears on Windows7 machines with no Wanna cry patch. We have seen the devastating cyber attack that crippled computers in UK hospitals, and the UK NHS citing their machines was not patched for WannyCry.
Microsoft statement during that time was “that those using Windows 10 were not infected,” though we cannot confirm this statement, it is clear that those who have installed Windows patch for WannaCry were not rigged.
Learn the best ransomware protection steps here to resist ransomware attack.
The WannaCrypt ransomware is exploiting one of the vulnerabilities that are part of the MS17-010 update. Computers that do not have WannaCry windows patch are at heightened risk because of several strains of malware.
In a huge organization with hundreds of computer running on Window, checking the correct patch for WannaCry could be taxing.
Security update MS17–010 addresses several vulnerabilities in Windows SMB v1 exploited by the WannaCrypt ransomware.
How to make sure all of the computers with Windows 7 are patched for WannaCry correctly, and good it will be if you have those KB numbers as well.
However, the KB that contains that update differs between Windows versions, and sometimes it could be included in service packs or cumulative updates: it can be taxing!
Have a look here
However, the other way to check the correct patching:
The MS17–010 installs a patched version of %systemroot%\system32\drivers\srv.sys.
You can check the file version and compare it with this list:
• Windows XP: 5.1.2600.7208
• Windows Server 2003 SP2: 5.2.3790.6021
• Windows Vista,Windows Server 2008 SP2: GDR:6.0.6002.19743, LDR:6.0.6002.24067
• Windows 7, Windows Server 2008 R2: 6.1.7601.23689
• Windows 8, Windows Server 2012:6.2.9200.22099
• Windows 8.1, Windows Server 2012 R2: 6.3.9600.18604
• Windows 10 TH1 v1507: 10.0.10240.17319
• Windows 10 TH2 v1511: 10.0.10586.839
• Windows 10 RS1 v1607,Windows Server 2016: 10.0.14393.953
If the version installed on our system is equal or major of the version in the list, the OS is correctly patched.
Automate it!
The srv.sys file version can be simply extracted using wmic:
C:>WMIC DATAFILE WHERE name="c:\windows\system32\drivers\srv.sys" get Version /format:Textvaluelist
Output on Windows 10
The above command can be included in a batch script that compare the correct version of the file.
Visit the Microsoft support that has a powershell script that automate the entire process:
[reflection.assembly]::LoadWithPartialName("System.Version")
$os = Get-WmiObject -class Win32_OperatingSystem
$osName = $os.Caption
$s = "%systemroot%\system32\drivers\srv.sys"
$v = [System.Environment]::ExpandEnvironmentVariables($s)
If (Test-Path "$v")
{
Try
{
$versionInfo = (Get-Item $v).VersionInfo
$versionString = "$($versionInfo.FileMajorPart).$($versionInfo.FileMinorPart).$($versionInfo.FileBuildPart).$($versionInfo.FilePrivatePart)"
$fileVersion = New-Object System.Version($versionString)
}
Catch
{
Write-Host "Unable to retrieve file version info, please verify vulnerability state manually." -ForegroundColor Yellow
Return
}
}
Else
{
Write-Host "Srv.sys does not exist, please verify vulnerability state manually." -ForegroundColor Yellow
Return
}
if ($osName.Contains("Vista") -or ($osName.Contains("2008") -and -not $osName.Contains("R2")))
{
if ($versionString.Split('.')[3][0] -eq "1")
{
$currentOS = "$osName GDR"
$expectedVersion = New-Object System.Version("6.0.6002.19743")
}
elseif ($versionString.Split('.')[3][0] -eq "2")
{
$currentOS = "$osName LDR"
$expectedVersion = New-Object System.Version("6.0.6002.24067")
}
else
{
$currentOS = "$osName"
$expectedVersion = New-Object System.Version("9.9.9999.99999")
}
}
elseif ($osName.Contains("Windows 7") -or ($osName.Contains("2008 R2")))
{
$currentOS = "$osName LDR"
$expectedVersion = New-Object System.Version("6.1.7601.23689")
}
elseif ($osName.Contains("Windows 8.1") -or $osName.Contains("2012 R2"))
{
$currentOS = "$osName LDR"
$expectedVersion = New-Object System.Version("6.3.9600.18604")
}
elseif ($osName.Contains("Windows 8") -or $osName.Contains("2012"))
{
$currentOS = "$osName LDR"
$expectedVersion = New-Object System.Version("6.2.9200.22099")
}
elseif ($osName.Contains("Windows 10"))
{
if ($os.BuildNumber -eq "10240")
{
$currentOS = "$osName TH1"
$expectedVersion = New-Object System.Version("10.0.10240.17319")
}
elseif ($os.BuildNumber -eq "10586")
{
$currentOS = "$osName TH2"
$expectedVersion = New-Object System.Version("10.0.10586.839")
}
elseif ($os.BuildNumber -eq "14393")
{
$currentOS = "$($osName) RS1"
$expectedVersion = New-Object System.Version("10.0.14393.953")
}
elseif ($os.BuildNumber -eq "15063")
{
$currentOS = "$osName RS2"
"No need to Patch. RS2 is released as patched. "
return
}
}
elseif ($osName.Contains("2016"))
{
$currentOS = "$osName"
$expectedVersion = New-Object System.Version("10.0.14393.953")
}
elseif ($osName.Contains("Windows XP"))
{
$currentOS = "$osName"
$expectedVersion = New-Object System.Version("5.1.2600.7208")
}
elseif ($osName.Contains("Server 2003"))
{
$currentOS = "$osName"
$expectedVersion = New-Object System.Version("5.2.3790.6021")
}
else
{
Write-Host "Unable to determine OS applicability, please verify vulnerability state manually." -ForegroundColor Yellow
$currentOS = "$osName"
$expectedVersion = New-Object System.Version("9.9.9999.99999")
}
Write-Host "`n`nCurrent OS: $currentOS (Build Number $($os.BuildNumber))" -ForegroundColor Cyan
Write-Host "`nExpected Version of srv.sys: $($expectedVersion.ToString())" -ForegroundColor Cyan
Write-Host "`nActual Version of srv.sys: $($fileVersion.ToString())" -ForegroundColor Cyan
If ($($fileVersion.CompareTo($expectedVersion)) -lt 0)
{
Write-Host "`n`n"
Write-Host "System is NOT Patched" -ForegroundColor Red
}
Else
{
Write-Host "`n`n"
Write-Host "System is Patched" -ForegroundColor Green
}
Set the execution policy to ‘unrestricted’ in order to correctly execute the script.
Also Read:
WannaCry Is Here to Stay- There Are Still Thousands of Infected Systems
WannaCry Ransomware Attack: U.S. Publicly Blames North Korea