Hello in this tutorial I want to show you guys how to check your PC against the DoublePulsar infection. MS already released one KB which prevents the PC from a new infection but it not checks if you're already infected - this is now where this tutorial can kick-in. Requirements: Python (does not work with 3.x you need 2.7) Scripts Windows 10 (Win 8 and lower aren't tested), see this and this. Step by Step: After you download Python install it in e.g. c:\. Download the script (on GitHub -> right corner 'download zip' file) and extract it to e.g. c:\. To make it a little bit easier for people which aren't familiar with cmd/powershell just copy and past the 'detect_doublepulsar_rdp.py' and detect_doublepulsar_smb.py into the phython dir. Now open the powershell in the dir e.g. PS C:\Python27/> ... when you not like to work with powershell just type in cmd in the powershell window and you can work not in cmd. Code: c:\python27> python.exe detect_doublepulsar_smb.py --ip 192.168.111.8 This is what we call, the IP is our target we want to scan, your own PC. When you're not infected you get something like this as return. Code: [ - ] [192.168.111.8] No presence of DOUBLEPULSAR SMB implant. When you're infect you see DETECTED. Code: [+] [192.168.111.8] DOUBLEPULSAR SMB IMPLANT DETECTED!!! In this case you can reinstall your OS. Theoretically you still could try to close the ports and remove leftovers - the script also comes with an basic uninstall function. But you should consider to reinstall the OS since you could be a target already. Difference between the two scripts? SMB is for Server Message Block (port 445) [most people need this to check their PC] and RDP is for Remote Desktop Protocol (Port 3389) -> use this script in case if you're on a server.
Already reported. The script got yesterday a remote uninstall function, I corrected OP to mention this.