Instantly share code, notes, and snippets.

Embed
What would you like to do?
Run as service and detect if you have specific files on a users computer, was specifically created for wannacry virus
#CREATED BY GISLI GUDMUNDSSON
#GLOBAL VARIABLES
$MailTo = "admin@yourcompany.com"
$SmptServer = "yourmxserver.domain.com"
function SendInfectionMessage(){
Send-MailMessage -To $MailTo -From "$env:COMPUTERNAME" -Subject "WannaCry Infection Detected - $env:COMPUTERNAME" -Body "WannaCry Infection Was Likely Detected on Computer $env:COMPUTERNAME. Please contact Username $env:USERNAME to investigate further. The Network Was Disabled On Remote Machine" -SmtpServer $SmtpServer
}
function DisableInfectedComputer(){
#Send The message to IT Admin
SendInfectionMessage
#Search for all network working network adapters
$NetworkAdapters = get-wmiobject win32_networkadapter | where { $_.MACAddress -ne $null }
foreach($NetworkAdapter in $NetworkAdapters){
#Disables Network Adapters
$NetworkAdapter.Disable()
}
}
function MainDetection(){
#Figures out if the temp storage has specified extension
$TempFilePath = $env:TEMP
$FilesInTemp = Get-ChildItem -Path $TempFilePath -Filter "*.WCRYT" -Recurse
#Checks for if the computer has already been affected
$Desktop = $env:USERPROFILE + "\Desktop"
$GetWallpaper = Get-ChildItem -Path $Desktop -Filter "!WannaCryptor!.bmp" -Recurse
#If it contains any files then run the DisableInfectedComputer
if($FilesInTemp -ne $null -or $GetWallpaper -ne $null){
DisableInfectedComputer
}
}
#Run detection program
MainDetection
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment