Severity scale:  
  (100/100)

EternalRocks worm. How to remove? (Uninstall guide)

removal by Olivia Morelli - - | Type: Worms
12

EternalRocks worm exploits seven Windows SMB exploits to infect vulnerable computer systems

EternalRocks virus is a self-replicating network worm which spreads through seven leaked Windows SMB exploits and performs malicious activities on infected computers. The worm has several different names – various security companies also identify it as MicroBotMassiveNet, DoomsDay[1] or BlueDoom. The worm uses EternalBlue (used for WannaCry ransomware distribution), EternalChampion, EternalSynergy, and EternalRomance as well as these associated programs – DoublePulsar, SMBTouch, and ArchiTouch. The functionality of the malware is parted in several stages, and the first one uses UpdateInstaller.exe file, which downloads .NET files employed in further processes, SharpZLib and TaskScheduler, and also svchost.exe(downloads, extracts and launches Tor browser) and taskhost.exe. Once these files are placed on the system, the second stage malware starts to act. After a delay (24 hours) the worm connects to ubgdgno5eswkhmpy[.]onion, downloads and executes another taskhost.exe file. Once run, the process downloads the exploit package called shadowbrokers.zip, and unpacks components right away. The name of the ZIP archive is self-explanatory, as it uses exploits leaked by a hacker group known as Shadow Brokers[2]. The archive contains folders – payloads, configs and bins. Following that, the virus starts searching for open 445 (SMB) ports on the Internet, at the same time running the exploits that came in the bins folder and pushes the first stage malicious software through payloads. The worm continuously communicates with its Command & Control (C&C) server via the running Tor browser and waits for further instructions. The virus can be stopped using only very powerful anti-malware tools that must be up-to-date. For EternalRocks removal, we recommend using Reimage or Malwarebytes Anti Malware software.

EternalRocks worm

EternalRocks malware is not a ransomware, contrary to what some “experts” say. At the moment, it is just a malicious code that can silently take control of the infected hosts. Even if the worm is not weaponized yet, there is no reason to think that it is going to remain the same in the future. Due to communication with the C&C server, the worm can carry out various tasks and fill the infected system with additional malware, including ransomware or data-stealing viruses. EternalRocks addresses more Windows vulnerabilities than the infamous WannaCry ransomware did (Wana Decrypt0r 2.0 ransomware, which was used in the cyber attack launched on May 12, 2017[3], used EternalBlue and DoublePulsar[4] exploits), which reveals that the worm is far more complex than the ransomware[5]. The new worm, however, does not have a kill switch that the ransomware did. At the moment, it seems that there is no way to block McroBotMassiveNet activity once it sneaks into the system. The only thing that you can do is to scan the system using powerful anti-malware and remove EternalRocks automatically.

Propagation of the malicious worm

With a wider range of Windows SMB exploits, EternalRocks worm manages to enter unprotected computer systems quite easily. One of the used exploits, known as DoublePulsar, stays on the compromised computer without having any protection, which means that other cybercriminals can attempt to connect to the compromised computers and transfer their malicious programs to it. At the moment, there is very little information about possible ways to avoid this worm. Therefore, we recommend keeping your operating system up-to-date, install all suggested updates for your programs (make sure you download them from trustworthy sources only!) and avoid visiting shady Internet sites or opening suspicious emails until more details about the worm will be revealed. We will update this article once we find out more about the virus.

Removal of EternalRocks worm

When trying to remove EternalRocks virus, you should understand that it is a professionally crafted malware sample and that it just cannot be uninstalled that quickly. You won’t find its uninstaller in Control Panel, so do not even waste your time trying to find it. What is more, deleting components of this malware might not be enough. Therefore, we suggest performing EternalRocks removal using professional malware removal software, which will identify all folders and altered settings that were touched by the malware.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove EternalRocks worm you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall EternalRocks worm. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.

More information about this program can be found in Reimage review.

Manual EternalRocks worm Removal Guide:

Remove EternalRocks worm using Safe Mode with Networking

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

Before you attempt to remove EternalRocks, reboot PC into Safe Mode with Networking first.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove EternalRocks worm

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete EternalRocks worm removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove EternalRocks worm using System Restore

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

Try this method to eliminate Eternal Rocks.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of EternalRocks worm. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that EternalRocks worm removal is performed successfully.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from EternalRocks worm and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions

References

Removal guides in other languages