[a] is the
computer worm that targets computers running
 Initially, the worm uses the
EternalBlue exploit to enter a computer, taking advantage of a vulnerability in
Microsoft's implementation of the
Server Message Block (SMB) protocol. It installs
backdoor implant tool, which then transfers and runs the WannaCry ransomware package.
Several organizations have released detailed technical writeups of the malware, including Microsoft,
 and McAfee.
The "payload" works in the same fashion as most modern ransomware: it finds and encrypts a range of data files, then displays a "ransom note" informing the user and demanding a payment in
 It is considered a network worm because it also includes a "transport" mechanism to automatically spread itself. This transport code scans for vulnerable systems, then uses the EternalBlue exploit to gain access, and the DoublePulsar tool to install and execute a copy of itself.
The software contained a URL that, when discovered and registered by a security researcher to track activity from infected machines, was found to act as a "
kill switch" that shuts down the software, stopping the spread of the ransomware. The researcher speculated that this had been included in the software as a mechanism to prevent it being run on
quarantined machines so that it is harder for anti-virus researchers to investigate the software; he observed that some sandbox environments will respond to all queries with traffic in order to trick the software into thinking that it is still able to access the internet, so the software queried an "intentionally unregistered domain" to verify it was receiving traffic that it should not.
 He also noted that it was not an unprecedented technique, having been observed in the
On 19 May it was reported that hackers were trying to use a
Mirai botnet variant to effect a
distributed attack on WannaCry's kill-switch domain with the intention of knocking it offline.
 On 22 May @MalwareTech protected the domain by switching to a cached version of the site, capable of dealing with much higher traffic loads than the live site.
The network infection vector,
EternalBlue, was released by the hacker group called
The Shadow Brokers on 14 April 2017,
 along with other tools apparently leaked from
Equation Group, which is widely believed to be part of the United States
National Security Agency.
EternalBlue exploits vulnerability MS17-010
Microsoft's implementation of the
Server Message Block (SMB) protocol.
 This Windows
vulnerability was not a
zero-day flaw, but one for which Microsoft had released a "critical" advisory, along with a
security patch to fix the vulnerability two months before, on 14 March 2017.
 The patch was to the Server Message Block (SMB) protocol used by Windows,
 and fixed several versions of the
Microsoft Windows operating system, including
Windows Vista onwards (with the exception of
Windows 8), as well as server and embedded versions such as
Windows Server 2008 onwards and
Windows Embedded POSReady 2009 respectively, but not the older unsupported
Windows XP and
Windows Server 2003.
 The day after the WannaCry outbreak Microsoft released updates for these too.
Windows 10 did not have the vulnerability.
DoublePulsar is a
backdoor tool, also released by The Shadow Brokers on 14 April 2017,
 Starting from 21 April 2017, security researchers reported that computers with the DoublePulsar backdoor installed were in the tens of thousands.
 By 25 April, reports estimated the number of infected computers to be up to several hundred thousands, with numbers increasing exponentially every day.
 The WannaCry code can take advantage of any existing DoublePulsar infection, or installs it itself.