[clamav-users] Malware/ransomware and Yara signatures with clamav
Eric Tykwinski
eric-list at truenet.com
Tue May 16 16:40:23 UTC 2017
I don't think anyone really knows the initial vector, but RDP was an entry
point according to the site I was reading:
Backdooring: The worm loops through every RDP session on a system to run the
ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It
corrupts shadow volumes to make recovery harder. (source: malwarebytes)
It seems more believable to me than everyone with SMB access to the public
internet.
Sincerely,
Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300
-----Original Message-----
From: clamav-users [mailto:clamav-users-bounces at lists.clamav.net] On Behalf
Of Dennis Peterson
Sent: Tuesday, May 16, 2017 12:25 PM
To: ClamAV users ML
Subject: Re: [clamav-users] Malware/ransomware and Yara signatures with
clamav
If not email what is the vector?
dp
On 5/15/17 5:11 PM, Joel Esler (jesler) wrote:
> To be clear let me link to our blog post on the subject:
>
> http://blog.talosintelligence.com/2017/05/wannacry.html
>
> There has been No email vector seen in WannaCry to date. Almost everyone
that has claimed this, has retracted it. Please read the above blog post for
all the facts as we know them.
>
> This is an ongoing threat.
>
> --
> Joel Esler | Talos: Manager | jesler at cisco.com<mailto:jesler at cisco.com>
_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
More information about the clamav-users
mailing list