Zhang M1suzu

XNU syscall path

Chart

             +------------------+
             |These push their  |                                  +-----------------------+
             |respective syscall|                                  |This overwrites the    |
             |dispatch functions|                                  |saved dispatch function|
             |onto the stack    |                                  |with hndl_alltraps     |

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the viru

	/* ultrasn0w (D) xerub 2014
	*
	* This program is free software; you can redistribute it and/or modify
	* it under the terms of the "do What The Fuck you want to Public License";
	* either version 1 of the License, or whatever (the fuck) version you want.
	*
	* $ ios-clang -o ultrasn0w.o -Wno-variadic-macros -O2 -c ultrasn0w.c
	* $ ios-clang -o ultrasn0w.dylib -shared ultrasn0w.o -lsubstrate -lATCommandStudioDynamic
	*
	* Inject into CommCenterClassic iPhone3,1 baseband 1.59.00