Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • DigitalShadows weighs in on the most likely explanation: WannaCry is from an “unsophisticated” attacker

    Posted on May 19th, 2017 at 09:26 woody Comment on the AskWoody Lounge

    I don’t use their fancy analysis technique, but the conclusion from Digital Shadows sure rings right with me:

    Though by no means definitive, we assessed that a WannaCry campaign launched by an unsophisticated cybercriminal actor was the most plausible scenario based on the information that is currently available.

    WannaCry is full of cringeworthy errors — it’s like a misguided firecracker launched by an F-22 Raptor.

    Please, if you use Windows and you haven’t patched it yet, get on the stick.

  • The original WannaCry does NOT infect Windows XP boxes

    Posted on May 19th, 2017 at 08:00 woody Comment on the AskWoody Lounge

    I’ve been saying that for a week now – sometimes fighting over it.

    I’m not saying the EternalBlue infection method doesn’t work on XP. (Sorry for the double negative.) What I am saying is that no Windows XP boxes were infected, in the wild, by the original WannaCry worm.

    I’m also saying that the original WannaCry worm is now a distant memory, with much nastier things to come, and you have to get yourself patched, no matter which version of Windows you’re using.

    There’s an interesting debate going on right now about infections on XP boxes that weren’t part of the first wave.

    UPDATE: The Scottish National Health Service reports that 1,500 computers came down with WannaCry. Independently, NHS says they still have 6,500 computers running XP. Somehow that’s getting reported in the press that 1,500 XP NHS computers were infected. The announcement from NHS is apparently correct. The poorly-spun media reports are clearly wrong.

    ANOTHER UPDATE: Catalin Cimpanu at BleepingComputer comes to the conclusion that we’ve known all along — WannaCry only infects Windows 7 and Server 2008 R2, which is basically the same thing as Windows 7.

    The Kaspersky graph shows a tiny, tiny number of Win10 machines infected. My guess is that’s either a false positive, or from people who were intentionally infecting Win7 machines running in a Virtual Machine on Win10.

    There’s a commenter (I know, I shouldn’t read the comments) who says:

    You want to know why Windows 10 was on the list?
    I blame Microsoft for still allowing people to opt-out of auto-updates. The mass do not always know what’s best for them, so it is our responsibility to firmly reject their demand when it’s harmful, and educate them why so.

    I could pull my hair out. Win10 wasn’t directly affected. Opting in or out of updates isn’t a problem – although if you opted out of Win7 auto updates and you didn’t check for two months, yep, you could’ve gotten stung. But Win10? Puh-lease.

  • Not all Windows Store apps will run on Windows 10 S

    Posted on May 19th, 2017 at 07:43 woody Comment on the AskWoody Lounge

    From ‘Softie Rich Turner, on the MSDN forum:

    Just because an “app” comes from the Windows Store does NOT automatically mean that it’s safe & suitable for running in Windows 10 S. There are some apps that are not allowed to run on Windows 10 S, including all command-line apps, shells and Consoles.

    That’s news to me. I bet it is to you, too.

    Thx, @teroalhonen.

  • Breaking: WannaCry has been decrypted, if you follow the rules

    Posted on May 19th, 2017 at 07:37 woody Comment on the AskWoody Lounge

    For those of you who were infected with WannaCry, very good news. If you see the WannaCry ransom screen:


    Matt Suiche has confirmed that the wanakiwi tool can reach into your infected Win7 machine and retrieve the decryption key. The tool was created by Benjamin Delpy, @gentilkiwi. Per Suiche:

    His tool is very ingenious as it does not look for the actual key but the prime numbers in memory to recompute the key itself. In short, his technique is totally bad ass and super smart.

    Suiche has confirmed that the tool works on WinXP x86, Server 2003 x86, and Win7 x86 “This would imply it works for every version of Windows from XP to 7, including… Vista and 2008 and 2008 R2.”

    Remember, the original WannaCry worm ONLY infects Windows 7 computers. Anything you’ve read to the contrary is wrong.

    REMEMBER – You have to make sure your Windows machines are updated, to protect against new versions of WannaCry. They’re starting to make an appearance. If you haven’t already done it, drop everything and get patched now. Every Windows machine. No exceptions.

  • Reported problem with COM security patch KB 4018556 for WinXP Embedded

    Posted on May 19th, 2017 at 06:35 woody Comment on the AskWoody Lounge

    Just got this message, from Moldova:

    In our organization, we have many Windows XP desktops, that have been “moved” to Embedded, as to receive security patches (the process of upgrading of all machines is ongoing).

    We had no problems before. But this month the KB4018556 brought us a big headache!!!

    After installing and rebooting, many of our users (not all!) saw the winlogon error right on top of the logon window where the prompt for ctrl-alt-del appears.

    Users tried to restart their computers, and sometimes(!) after several restarts (3…9, maybe more) the system allowed them to log in. But sometimes not!!!

    Other computers may run normally a day or two, and then again could show the winlogon.exe error!

    After we remove this KB4018556 from all the computers, they went back to the normal state.


    Anybody else seeing this?

    PATCHES PULLED: While this patch was originally issued for Windows XP Embedded, POSReady 2009 and Windows Server 2008, it looks like Microsoft has pulled all versions except the one for Server 2008. Thx to Mr. Bond, and to DougCuk. The KB article now only mentions Server 2008.