Win32/VirLock

Forum for analysis and discussion about malware.

Win32/VirLock

Postby EP_X0FF » Mon Dec 08, 2014 9:11 am

Malware that infects executable files on victim computer and ask to pay ransom in BTC.

Each infected executable is overwritted by copy of malware with saved icon of original executable. Massive executables infecting gives this malware ability to survive removal and re-infect PC.

Runs via
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Alters Windows Explorer settings:
1) file extensions -> reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2) hidden files -> reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Turn off UAC -> reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Monitors user activity -> blocks execution of several programs by looking for specific windows titles/classnames, including malware process names.
The following names are identified:
1) Windows Task Manager
2) Run
3) Open
4) malware process names (thus preventing to view process properties for example)
5) RegEdit_RegEdit

Capable of infecting removal drives.

Image

Example of infected file -> https://www.virustotal.com/en/file/113c16849befe068996c564a7fe085002973e452827731e67b323c376c4c63b9/analysis/ (used gmer found on infected computer)

One of the VT reports for sample in archive
https://www.virustotal.com/en/file/418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786/analysis/
Dont be confused by high VT detection ratio - the only 4 products here correctly detect this malware.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Win32/VirLock

Postby Mosh » Sun Jul 17, 2016 3:01 am

Hi

I don't know if this Ransomware is active again, looks like that nothing has changed in his functionality.

Virlock.exe
eeeb3519dbba09bd590076ab921e9d17
c92a20e3ce9756ea1b2a0f89626cd093e6de573b
a95f93b1a16559b07820aea239014c2169161ce23d378a05d0c82bf960941e30
805.0 KB
https://www.virustotal.com/es/file/a95f ... /analysis/

Regards!
You do not have the required permissions to view the files attached to this post.
nyxbone.com
Twitter: @nyxbone
User avatar
Mosh
 
Posts: 29
Joined: Thu Oct 06, 2011 4:10 pm
Location: Colombia
Reputation point: 8


Return to Malware

Who is online

Users browsing this forum: No registered users and 12 guests