"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
These notes describe how to use the command line version of the Sophos Anti-Rootkit tool to remove rootkits from networked Windows NT/2000/XP/2003 computers, and to prevent reinfection across the network during this process.
Note: You cannot use the graphical user interface (GUI) version of Sophos Anti-Rootkit for network disinfection.
The command line version of the Sophos Anti-Rootkit tool can be used over a network to remove rootkits from Windows NT/2000/XP/2003 computers.
Sophos Anti-Rootkit removes rootkits only. You should subsequently scan your computers with anti-virus software to remove any Trojans, etc., that the rootkit may have placed there.
Read these notes completely before starting to disinfect your computers.
Detach the infected network from the internet by shutting down the router, etc. If necessary, remove the connecting plug. Most malicious programs spread over the internet, so this will protect against further infection.
Then, on an uninfected computer, prepare a write-protected copy of the anti-rootkit tool on a CD or other write-protected medium:
If you have a small network (up to 30 computers), or a peer-to-peer network, you should clean the computers individually. Run the graphical user interface (GUI) version of Sophos Anti-Rootkit from the CD that you made on each computer in turn. Note: If you have a peer-to-peer network (workgroup) you will have to use this method as your clients will not have a login script.
To run network disinfection, use the command line version of the Sophos Anti-Rootkit tool.
Check to see if the rootkit is only present on a few computers, or if it has spread to your domain controller.
Warning: Do not reboot or log off the Domain Controller during network cleaning. It might become infected.
For the purposes of these notes all computers except the Domain Controller are workstations.
\\[SERVER]\SOPHTEMP\SARCLI.EXE -clean -restart
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.