Skip to content
July 12, 2026
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Zero-hour alerts. Unmatched analysis.

Primary Menu
  • Home
  • CVE Data
    • CVE Watchtower
    • Top Exploited CVEs
    • CVE Stats by Vendor
    • Q2 2026 Report
  • Cyber Criminals
  • Data Leak
  • Linux
  • Malware
  • Vulnerability
  • Submit Press Release
  • Vulnerability Report
Light/Dark Button
  • Home
  • Technique
  • Detection/Prevention/Clean EternalRocks worm
  • Technique

Detection/Prevention/Clean EternalRocks worm

Do Son May 25, 2017 4 minutes read

Recently, security researchers have discovered a new malware. The malware, like WannaCry extortion software, spreads itself by exploiting the vulnerabilities in the Windows SMB file sharing protocol, but unlike the latter, it uses a variety of recent hacking tools from the US National Security Agency (NSA) And Wannacry uses only two!

EternalRocks worm

On May 17, 2017, the Croatian security expert (Miroslav Stampar) discovered a worm based on WannaCry, which was also spread through vulnerabilities in the NSA arsenal. He named the virus EternalRocks and posted it to Twitter, as follows Figure:

According to foreign media “Fortune” magazine May 21, 2017 reported that EternalRocks affect a large number of patches are not installed Windows7 host, spread fast, has affected the 240,000 hosts. As shown below:

Virus composition and process

Eternalrocks consists of seven attack loads, including four Windows vulnerability exploits, a backdoor and two vulnerability scans.

Features Module name Vulnerability number
Exploit procedures EternalblueEternalchampion

Eternalromance

Eternalsynergy

Microsoft Windows SMB Remote Code Execution Vulnerability (MS17-010)CVE-2017-0143

CVE-2017-0144

CVE-2017-0145

CVE-2017-0146

CVE-2017-0147

CVE-2017-0148

Backdoor Doublepulsar
Scanners Architouch, Smbtouch

The above mentioned four vulnerabilities are the use of the Windows system SMB protocol vulnerabilities, involving Windows XP, Vista, 7, Windows Server 2003, 2008, 2008 R2 system, Microsoft has released the official security patch MS17-070.

The virus workflow is as follows:

  1. Use SMB reconnaissance tools smbtouch and architouch to scan open SMB ports.
  2. If the SMB port is found, use the four vulnerabilities exploit (eternalblue, eternalchampion, eternalromance, eternalsynergy) through the network to infect the victim host.
  3. After infecting eternalrocks, you will download the Tor browser (a browser that can access the web, which can be prevented from being accessed using regular browsers) and download .NET components.
  4. Tor will take the initiative to connect to a C & C server in a dark network, connect the server 24 hours later, will respond to the C & C server and download the 7 SMB vulnerability attack load, in this way, you can avoid the sandbox technology detection.
  5. After the infection is complete, the EternalRocks worm will continue scanning the Internet’s open SMB port, propagating and infecting other hosts.

Virus characteristics

  • Take advantage of multiple vulnerabilities

EternalRocks takes advantage of the four attack programs in the NSA arsenal, much more than WannaCry uses.

  • Only infected, no damage

EternalRocks does not encrypt WaxCry’s files on infected hosts and extort bitmaps, just through the network.

  • The propagation switch is not set

EternalRocks does not set up domain name switches like WannaCry to control virus propagation.

  • Install the back door

EternalRocks will install the Doublepulsar backdoor on the infected host, which is then used by hackers to remotely control infected hosts.

  • Delay download attack load

EternalRocks infected host, the delay will be delayed 24 hours to download the attack load, the purpose is to delay the safety of the researchers response time.

Detection

  • local inspection

Virus infected host, will create C:\Program Files\Microsoft Updates\ directory, generate multiple virus files, as shown below:

Go to the Start menu – Control Panel – Administrative Tools – Scheduled Tasks, expand the Task Scheduler Library – Microsoft-Windows, and the virus creates two scheduled tasks, ServiceHost and TaskHost, as shown in the following figure:

 

Found on the host of the above characteristics, you can determine the infection has EternalRocks virus.

Prevention

  • Broken network

Detection of the virus found in the detection phase of the host should immediately cut off the network, to avoid further spread of the virus in the network.

  • Block the port

For hosts that do not have the MS17-010 patch and the presence of the Doublepulsar backdoor, the Windows SMB service TCP 445 port should be blocked immediately.

Repair

Clear the virus

  1. Go to the Start menu – Control Panel – Administrative Tools – Scheduled Tasks, expand the Task Scheduler Library – Microsoft-Windows, and delete the scheduled tasks ServiceHost and TaskHost.
  2. Stop the following process.

C: \Program Files\Microsoft Updates\svchost.exe

C: \Program Files\Microsoft Updates\taskhost.exe

C: \Program Files\Microsoft Updates\torunzip.exe

  1. Delete the C:\Program Files\Microsoft Updates\ directory and all the files in it.

Install patch

Download and install Microsoft’s official patch:

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Share this article:

Facebook Post LinkedIn Telegram
Tags: EternalRocks worm

Search

Translation

CVE WATCHTOWER
🚨

Receive alerts for vulnerabilities being exploited in the wild.

⚡

Get notified instantly when a Proof of Concept (PoC) exploit is published.

🔍

Access critical info on vulnerabilities even when marked as "RESERVED".

🧠

Insights powered by decades of expertise and global intelligence sources.

🎯

Customize alerts with up to 10 keywords for your specific tech stack.

📊

Export the raw CVE database for SIEM integration and reporting.

Upgrade Package

🚨 Active Exploits in the Wild

  • CVE-2026-1207CVSS 5.4
    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on...
    Admin intel📅 Updated: Jul 10, 2026
  • CVE-2026-48939CVSS 10.0
    A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment...
    CISA KEV📅 Added to KEV: Jul 10, 2026
  • CVE-2026-56291CVSS 10.0
    The Joomla extension Balbooa Forms is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files...
    CISA KEV📅 Added to KEV: Jul 10, 2026
  • CVE-2026-55255CVSS 8.4
    Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, an Insecure Direct...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-48908
    A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-56290
    The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-20896CVSS 9.8
    Gitea Docker image: `REVERSE_PROXY_TRUSTED_PROXIES = *` default lets any source IP impersonate any user via `X-WEBAUTH-USER`
    Admin intel📅 Updated: Jul 6, 2026
  • CVE-2026-48282CVSS 10.0
    ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted...
    Admin intelCISA KEV📅 Added to KEV: Jul 7, 2026📅 Updated: Jul 3, 2026
Powered by CVE Watchtower

🔴 Live Critical Threats

  • CVE-2026-61447CVSS 10.0
    PraisonAI before 1.6.78 contains a remote code execution vulnerability in CodeAgent._execute_python() that...
  • CVE-2026-61445CVSS 9.9
    PraisonAI before 4.6.78 contains arbitrary file write and command execution vulnerabilities in...
  • CVE-2026-60090CVSS 9.8
    PraisonAI before 4.6.78 fails to validate the caller-controlled dimension argument in the...
  • CVE-2026-57827CVSS 10.0
    The Joomla extension RSFiles is vulnerable to an unauthenticated arbitrary file upload...
  • CVE-2026-57828CVSS 9.0
    The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file...
  • CVE-2026-14480CVSS 9.9
    OpenPLC Runtime v3 contains an authenticated arbitrary file write vulnerability in the...
  • CVE-2026-20744CVSS 9.8
    The charging station websocket endpoint accepts connections without proper authentication, which could...
  • CVE-2026-57807CVSS 9.8
    Authentication Bypass Using an Alternate Path or Channel vulnerability in miniOrange Security...
  • CVE-2026-55879CVSS 9.3
    OpenReplay is a self-hosted session replay suite. From 1.24.0 before 1.25.0, the...
  • CVE-2026-12761CVSS 9.8
    The miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for...
Powered by CVE WATCHTOWER

Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
  • Top Exploited CVEs
  • Daily CyberSecurity

    • About SecurityOnline.info
    • Advertise with us
    • Announcement
    • Contact
    • Contributor Register
    • Login
    • Disclaimer
    • DCMA
    • Privacy Policy
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact Us

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • CVE Watchtower
    • CVE Statistics by Vendor 2026
    • Q2 2026 Report
    • Top Exploited CVEs
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    © 2017 - 2026 Daily CyberSecurity. All Rights Reserved.