We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:PowerShell/Lonit.PA
Aliases: No associated aliases
Summary
Microsoft Defender Antivirus detects and removes this threat.
This threat is a form of fileless malware that uses the EternalBlue exploit (CVE-2017-0144).
You should:
- Patch EternalBlue (CVE-2017-0144) to prevent the malware from spreading.
- Check task scheduler for all automated tasks
- Disable VBScript to disable persistence. The program uses WScript.Shell com objects to maintain persistence.
- Go through the Microsoft forum to learn more about this malware. For more details about EternalBlue, see the Analysis of the ETERNALBLUE and ETERNALROMANCE exploits leaked by Shadow Brokers.
- Run a full scan. A full scan might find hidden malware.
Use the following free Microsoft software to detect and remove this threat:
- Microsoft Defender Antivirus for Windows 10 and Windows 8.1, or Microsoft Security Essentials for Windows 7 and Windows Vista
- Microsoft Safety Scanner
Use cloud protection
Use cloud protection to help guard against the latest malware threats. It’s turned on by default for Microsoft Security Essentials and Microsoft Defender Antivirus for Windows 10.
Go to Settings > Update & security > Windows Defender > Windows Defender Security Center > Virus & threat protection and make sure that your Cloud-based Protection settings is turned On.
Get more help
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.