EternalRocks worm exploits seven Windows SMB exploits to infect vulnerable computer systems
EternalRocks virus is a self-replicating network worm which spreads through seven leaked Windows SMB exploits and performs malicious activities on infected computers. The worm has several different names – various security companies also identify it as MicroBotMassiveNet, DoomsDay[1] or BlueDoom. The worm uses EternalBlue (used for WannaCry ransomware distribution), EternalChampion, EternalSynergy, and EternalRomance as well as these associated programs – DoublePulsar, SMBTouch, and ArchiTouch. The functionality of the malware is parted in several stages, and the first one uses UpdateInstaller.exe file, which downloads .NET files employed in further processes, SharpZLib and TaskScheduler, and also svchost.exe(downloads, extracts and launches Tor browser) and taskhost.exe. Once these files are placed on the system, the second stage malware starts to act. After a delay (24 hours) the worm connects to ubgdgno5eswkhmpy[.]onion, downloads and executes another taskhost.exe file. Once run, the process downloads the exploit package called shadowbrokers.zip, and unpacks components right away. The name of the ZIP archive is self-explanatory, as it uses exploits leaked by a hacker group known as Shadow Brokers[2]. The archive contains folders – payloads, configs and bins. Following that, the virus starts searching for open 445 (SMB) ports on the Internet, at the same time running the exploits that came in the bins folder and pushes the first stage malicious software through payloads. The worm continuously communicates with its Command & Control (C&C) server via the running Tor browser and waits for further instructions. The virus can be stopped using only very powerful anti-malware tools that must be up-to-date. For EternalRocks removal, we recommend using FortectIntego or MalwarebytesMalwarebytes software.

EternalRocks malware is not a ransomware, contrary to what some “experts” say. At the moment, it is just a malicious code that can silently take control of the infected hosts. Even if the worm is not weaponized yet, there is no reason to think that it is going to remain the same in the future. Due to communication with the C&C server, the worm can carry out various tasks and fill the infected system with additional malware, including ransomware or data-stealing viruses. EternalRocks addresses more Windows vulnerabilities than the infamous WannaCry ransomware did (Wana Decrypt0r 2.0 ransomware, which was used in the cyber attack launched on May 12, 2017[3], used EternalBlue and DoublePulsar[4] exploits), which reveals that the worm is far more complex than the ransomware[5]. The new worm, however, does not have a kill switch that the ransomware did. At the moment, it seems that there is no way to block McroBotMassiveNet activity once it sneaks into the system. The only thing that you can do is to scan the system using powerful anti-malware and remove EternalRocks automatically.

Propagation of the malicious worm
With a wider range of Windows SMB exploits, EternalRocks worm manages to enter unprotected computer systems quite easily. One of the used exploits, known as DoublePulsar, stays on the compromised computer without having any protection, which means that other cybercriminals can attempt to connect to the compromised computers and transfer their malicious programs to it. At the moment, there is very little information about possible ways to avoid this worm. Therefore, we recommend keeping your operating system up-to-date, install all suggested updates for your programs (make sure you download them from trustworthy sources only!) and avoid visiting shady Internet sites or opening suspicious emails until more details about the worm will be revealed. We will update this article once we find out more about the virus.
Removal of EternalRocks worm
When trying to remove EternalRocks virus, you should understand that it is a professionally crafted malware sample and that it just cannot be uninstalled that quickly. You won’t find its uninstaller in Control Panel, so do not even waste your time trying to find it. What is more, deleting components of this malware might not be enough. Therefore, we suggest performing EternalRocks removal using professional malware removal software, which will identify all folders and altered settings that were touched by the malware.
Was this guide helpful?
Be the first to comment