Menu
Reply
Wise owl
  • 3.38K
  • 184
  • 922
Registered: ‎09-09-2009
Message 11 of 15 (317 Views)

Re: You have been infected by wannacry (email from Virgin)

VM got a mention in this article from The Register http://www.theregister.co.uk/2017/05/19/wannacrypt_warning_email_confusion/

 




It's What I Do.
I Drink and
I Remember Things.
Reply
0 Kudos
Superuser
  • 12.82K
  • 644
  • 4.3K
Registered: ‎01-11-2009
Message 12 of 15 (294 Views)

Re: You have been infected by wannacry (email from Virgin)

[ Edited ]

I love how people go on and mention port 445 - incidentally, Virgin used to block it and the rest of the NETBIOS trio - until user pressure made them rethink this. Something along the lines of "I pay for access to the whole internet." as I recall.

445 is how the worm spreads internally once it gets onto a LAN, but more often than not it enters the LAN through other means like an infected email.

But the wannacry worm tries communicating with a specific URI over HTTP so it's easy for the security researchers to log traffic hitting the website.  But it does mean that people who visit the site out of curiosity end up getting a well-intentioned letter as a result.

________________________________________


Only use Helpful answer if your problems been solved.

Reply
0 Kudos
Superfast
  • 233
  • 2
  • 46
Registered: ‎09-04-2012
Message 13 of 15 (191 Views)

Re: You have been infected by wannacry (email from Virgin)

I received a letter today saying a device on my network may be infected with wannacry.
None are.

I did visit the kill switch website the security guy purchased out of curiosity, so that clears it up.
Reply
0 Kudos
Knows their stuff
  • 1.26K
  • 133
  • 383
Registered: ‎23-09-2012
Message 14 of 15 (158 Views)

Re: You have been infected by wannacry (email from Virgin)

When wannacry requests the kill switch domain the HTTP request header lacks the user-agent field; according to Cisco Umbrella | Blog. You may wish to query the report made to Virgin Media by Shadowserver to see if they filtered out such requests from their reports.

Reply
0 Kudos
Superfast
  • 233
  • 2
  • 46
Registered: ‎09-04-2012
Message 15 of 15 (155 Views)

Re: You have been infected by wannacry (email from Virgin)

I'm assuming they just have a list of IP addresses that have visited.
Reply
0 Kudos