SHARE
TWEET

wannacry avoid

a guest May 13th, 2017 1,908 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. There are a number of files and folders wannacrypt will avoid.
  2. Some because it's entirely pointless and others because it might destabilize the system.
  3. During scans, it will search the path for the following strings and skip over if present.
  4.  
  5.     "Content.IE5"
  6.     "Temporary Internet Files"
  7.     " This folder protects against ransomware. Modifying it will reduce protection"
  8.     "\Local Settings\Temp"
  9.     "\AppData\Local\Temp"
  10.     "\Program Files (x86)"
  11.     "\Program Files"
  12.     "\WINDOWS"
  13.     "\ProgramData"
  14.     "\Intel"
  15.     "$\"
  16.  
  17. The strange looking folder name referring to ransomware was probably used during tests
  18. or perhaps the authors left it behind by accident.
  19.  
  20. Naturally, it will avoid encrypting itself and skips the following.
  21.  
  22.     @Please_Read_Me@.txt
  23.     @WanaDecryptor@.exe.lnk
  24.     @WanaDecryptor@.bmp
  25.  
  26. It will also skip files that have extensions: .DLL, .EXE, .WNCRY and .WNCRYT
  27.  
  28. For everything else, there are 2 tables with file extensions it checks,
  29. the first and default list consists of
  30.  
  31.   .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg,
  32.   .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf,
  33.   .dwg, .onetoc2, .snt, .jpeg, .jpg
  34.  
  35. The other is a much more extensive list, but is not used by the sample
  36. I have.
  37.  
  38. It's not clear what the purpose of multiple file extensions are, but perhaps
  39. the ransomeware uses a library or framework that can be tweaked for specific targets.
  40.  
  41.   .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc,
  42.   .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb,
  43.   .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes,
  44.   .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup,
  45.   .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai,
  46.   .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov,
  47.   .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class,
  48.   .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs,
  49.   .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf,
  50.   .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb,
  51.   .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd,
  52.   .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds,
  53.   .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der
RAW Paste Data
Top