Skip to content
  • Active
  • Severity: High
  • Worms
  • Windows
  • Verified · May 2017

How to remove EternalRocks worm

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Olivia Morelli · Ransomware analyst

EternalRocks worm exploits seven Windows SMB exploits to infect vulnerable computer systems

EternalRocks virus is a self-replicating network worm which spreads through seven leaked Windows SMB exploits and performs malicious activities on infected computers. The worm has several different names – various security companies also identify it as MicroBotMassiveNet, DoomsDay[1] or BlueDoom. The worm uses EternalBlue (used for WannaCry ransomware distribution), EternalChampion, EternalSynergy, and EternalRomance as well as these associated programs – DoublePulsar, SMBTouch, and ArchiTouch. The functionality of the malware is parted in several stages, and the first one uses UpdateInstaller.exe file, which downloads .NET files employed in further processes, SharpZLib and TaskScheduler, and also svchost.exe(downloads, extracts and launches Tor browser) and taskhost.exe. Once these files are placed on the system, the second stage malware starts to act. After a delay (24 hours) the worm connects to ubgdgno5eswkhmpy[.]onion, downloads and executes another taskhost.exe file. Once run, the process downloads the exploit package called shadowbrokers.zip, and unpacks components right away. The name of the ZIP archive is self-explanatory, as it uses exploits leaked by a hacker group known as Shadow Brokers[2]. The archive contains folders – payloads, configs and bins. Following that, the virus starts searching for open 445 (SMB) ports on the Internet, at the same time running the exploits that came in the bins folder and pushes the first stage malicious software through payloads. The worm continuously communicates with its Command & Control (C&C) server via the running Tor browser and waits for further instructions. The virus can be stopped using only very powerful anti-malware tools that must be up-to-date. For EternalRocks removal, we recommend using FortectIntego or MalwarebytesMalwarebytes software.

EternalRocks worm

EternalRocks malware is not a ransomware, contrary to what some “experts” say. At the moment, it is just a malicious code that can silently take control of the infected hosts. Even if the worm is not weaponized yet, there is no reason to think that it is going to remain the same in the future. Due to communication with the C&C server, the worm can carry out various tasks and fill the infected system with additional malware, including ransomware or data-stealing viruses. EternalRocks addresses more Windows vulnerabilities than the infamous WannaCry ransomware did (Wana Decrypt0r 2.0 ransomware, which was used in the cyber attack launched on May 12, 2017[3], used EternalBlue and DoublePulsar[4] exploits), which reveals that the worm is far more complex than the ransomware[5]. The new worm, however, does not have a kill switch that the ransomware did. At the moment, it seems that there is no way to block McroBotMassiveNet activity once it sneaks into the system. The only thing that you can do is to scan the system using powerful anti-malware and remove EternalRocks automatically.

EternalRocks virus

Propagation of the malicious worm

With a wider range of Windows SMB exploits, EternalRocks worm manages to enter unprotected computer systems quite easily. One of the used exploits, known as DoublePulsar, stays on the compromised computer without having any protection, which means that other cybercriminals can attempt to connect to the compromised computers and transfer their malicious programs to it. At the moment, there is very little information about possible ways to avoid this worm. Therefore, we recommend keeping your operating system up-to-date, install all suggested updates for your programs (make sure you download them from trustworthy sources only!) and avoid visiting shady Internet sites or opening suspicious emails until more details about the worm will be revealed. We will update this article once we find out more about the virus.

Removal of EternalRocks worm

When trying to remove EternalRocks virus, you should understand that it is a professionally crafted malware sample and that it just cannot be uninstalled that quickly. You won’t find its uninstaller in Control Panel, so do not even waste your time trying to find it. What is more, deleting components of this malware might not be enough. Therefore, we suggest performing EternalRocks removal using professional malware removal software, which will identify all folders and altered settings that were touched by the malware.

Be the first to comment

Read in your language

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.