Winlocker.VB6.Blacksod

Forum for analysis and discussion about malware.

Winlocker.VB6.Blacksod

Postby slipstream- » Sun Jul 17, 2016 9:13 pm

Indian winlocker trash, fakes bsod or product key screen, tries to get user to call fake tech support.

Some have a nice button to run cmd.exe, some do not.

All are linked via dropper method (advanced installer), or via callback URL (to notify successful install only).

I called this family "VB6.blacksod", because one of the earlier samples I saw had a form name called "blacksod", and they're all coded in VB6.

ErrorFileRemover.exe: advanced installer dropper, contacts hxxp://recoverpcerror.com/ar/5430.html (links to license key.exe), and hxxp://itsupport24by7.com/online.html (browlock in root, in utf-16le encoding with BOM, probably as a lame obfuscation attempt). Number to call: +1(800)536-1585 -- fakes a BSOD and plays lame text-to-speech wav in broken english to scare user.

VideoCodecX.exe: advanced installer dropper, contacts hxxp://gmusicplayer.com/0678.html and hxxp://recoverpcerror.com/me/0678.html, has nice cmd.exe button, number to call: 1-844-307-0678

license key.exe: Smart Install Maker dropper, contacts hxxp://recoverpcerror.com/me/active/3313.html, has nice cmd.exe button, number to call: 1-877-256-3313
You do not have the required permissions to view the files attached to this post.
slipstream-
 
Posts: 17
Joined: Tue Sep 23, 2014 7:42 pm
Reputation point: 17

Re: Winlocker.VB6.Blacksod

Postby slipstream- » Fri Jul 22, 2016 4:17 pm

New blacksod.

Advanced installer dropper, contacts hxxp://gmusicplayer.com/july0678.html and hxxp://recoverpcerror.com/me/july0678.html, has nice cmd.exe button, number to call: 1-844-307-0678

Note same number as earlier instance, but different callback URLs.
You do not have the required permissions to view the files attached to this post.
slipstream-
 
Posts: 17
Joined: Tue Sep 23, 2014 7:42 pm
Reputation point: 17

Re: Winlocker.VB6.Blacksod

Postby slipstream- » Wed Aug 03, 2016 8:19 pm

Next blacksod.

Advanced installer dropper. Contacts hxxp://recoverpcerror.com/ar/pro/5490.html and has nice cmd.exe button (you need to click in the first form to get to it). Number to call: 1-866-933-5490
You do not have the required permissions to view the files attached to this post.
slipstream-
 
Posts: 17
Joined: Tue Sep 23, 2014 7:42 pm
Reputation point: 17

Re: Winlocker.VB6.Blacksod

Postby patriq » Wed Aug 03, 2016 9:07 pm

When I google "1-866-933-5490"
This is the first result - hxxp://www.tekexpert.net/contact-us.html
Possibly related, looks like a scam tech support page.

Samples that contact recoverpcerror.com (just visit the index and a sample downloads)

https://www.virustotal.com/en/file/c3ed ... /analysis/
https://www.virustotal.com/en/file/c383 ... /analysis/
https://www.virustotal.com/en/file/c4f0 ... /analysis/
https://www.virustotal.com/en/file/a6de ... /analysis/

New phone number on recoverpcerror.com = 1-844-459-8882
patriq
 
Posts: 109
Joined: Fri Jun 28, 2013 8:11 pm
Reputation point: 22


Return to Malware

Who is online

Users browsing this forum: No registered users and 9 guests