Very simple Badrabbit/Petya/GlobeImposter cryptolocker vaccines implementation


#1

Hey there,

For everybody who would like a very simple ‘tool’ to protect yourself from Badrabbit, Petya, NotPetya and GlobeImposter cryptolockers.

!USE AT YOUR OWN RISK! There are no checks or controls whatsoever!

Make a file using notepad or something, call it cryptovaccine.cmd,
copy/paste in the following:

@echo off
cls
echo Very simple Badrabbit/Petya/GlobeImposter cryptolocker vaccines implementation
echo Warning: This batch file has NO CHECKS OR CONTROL WHATSOEVER! USE AT YOUR OWN RISK!
echo You must run this as (domain) admin on the Windows Operating System you want to vaccinate.
pause
cls
echo Badrabbit vaccine as described at
echo https://www.cybereason.com/blog/cybereason-researcher-discovers-vaccine-for-badrabbit-ransomware
echo Creating c:\windows\cscc.dat
echo “” > c:\windows\cscc.dat
echo Removing inheritance from cscc.dat
icacls “c:\windows\cscc.dat” /inheritance:r
echo Creating c:\windows\infpub.dat
echo “” > c:\windows\infpub.dat
echo Removing inheritance from infpub.dat
icacls “c:\windows\infpub.dat” /inheritance:r
pause
cls
echo Petya vaccine as described at
echo https://www.bleepingcomputer.com/news/security/vaccine-not-killswitch-found-for-petya-notpetya-ransomware-outbreak/
echo Creating c:\windows\perfc
echo “” > c:\windows\perfc
echo Applying readonly mark to c:\windows\perfc
attrib +R c:\windows\perfc
echo Creating c:\windows\perfc.dat
echo “” > c:\windows\perfc.dat
echo Applying readonly mark to c:\windows\perfc.dat
attrib +R c:\windows\perfc.dat
echo Creating c:\windows\perfc.dll
echo “” > c:\windows\perfc.dll
echo Applying readonly mark to c:\windows\perfc.dll
attrib +R c:\windows\perfc.dll
pause
cls
echo GlobeImposter vaccine as described at
echo https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=1098
echo Creating 60091F9FF415A9DD5FDFF0D880249E69F883A75D0242CE20D6E6A90CC5AEAFDE file in ALLUSERPROFILE
echo “” > %ALLUSERSPROFILE%\60091F9FF415A9DD5FDFF0D880249E69F883A75D0242CE20D6E6A90CC5AEAFDE
echo Applying readonly mark to 60091F9FF415A9DD5FDFF0D880249E69F883A75D0242CE20D6E6A90CC5AEAFDE
attrib +R %ALLUSERSPROFILE%\60091F9FF415A9DD5FDFF0D880249E69F883A75D0242CE20D6E6A90CC5AEAFDE
echo Done
pause


#2

Another would be know where your email is coming from and stop clicking on SPAM and Phishing Emails and stop going to Porn sites if you really want to stop malware infection.


#3

It may not be your own fault that your email address has been used/leaked to such spammers.
There are plenty of possibilities.
Check https://haveibeenpwned.com/ for instance.


#4

In this day of age of “Click” happy I highly doubt it. Before click one can read the email and ask whom sent this and why. It’s easy to contact the emailer that you know that supposedly sent this to ask what is that email about. So I ask again are they actually reading before clicking on phishing links that come unannounced. Most likely Not.