Trojan.Winlock - Lock Em All

Forum for analysis and discussion about malware.

Trojan.Winlock - Lock Em All

Postby EP_X0FF » Tue Mar 16, 2010 6:51 pm

This trojan blocker prevents all software execution by displaying all top window that constantly redraws. To remove the Trojan (and unlock windows), infected users need to enter a valid serial number.

Named Lock Em All because of the specific window name.

Image

Once installed it looks like:

Image

Autoruns through HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit as %systemroot%\system32\usrinit.exe

UPDATE July 2011.

Image

Locker has evolved a few months later.

URLS list 26.07.2011

starting from 26 July Lock'Em'All ransomware moved to dedicated bulletproof server hosted by SIA LEMGA criminals affiliated hosting

hxxp://binxx3fi.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://rim5ttds.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://kinvivifas.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://boomfporka.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://z4nixxxi.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://rim5tporn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://azxpoixx.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://ebatporkas.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://fingopas.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://xxxbuxc.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://3rewporn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://ttedhoki.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://sukazporka.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://cbipoxf.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://ndcporka.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://frtnnbc.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://w2biporn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://zx1uporn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://llz3porn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://ebpoino.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://5uporn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://4tporl.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://llkzporn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://hnyporka.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://1qporka.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://sukporn1.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://hhn3por.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://2tipornn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://wq1porm.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://4youporn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://3vvporn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://ffporm.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://sv2porn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://w3nixx.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://gnpotk.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://2bioko.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://us1porn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://w3vporn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://w2yporn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://w1porka.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://new3porn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://rim2bi.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://4xrubin.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://diporn1.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://3zuporn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://2nporn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://1biporn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://z4porn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://qqyygf.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://hnkporn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://llzxzt.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://mixntrd.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://zzporrno.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://fimsporn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://xvidcoms.s3.amazonaws.com/xxx_video.exe DELETED

All client.jp domains suspended or deleted due to abuse.

hxxp://farsioce.client.jp/xxx_video.exe DELETED
hxxp://lecwovil.client.jp/xxx_video.exe DELETED
hxxp://gutfmulti.client.jp/xxx_video.exe DELETED
hxxp://longhanbi.client.jp/xxx_video.exe DELETED
hxxp://ceinopxent.client.jp/xxx_video.exe DELETED
hxxp://clucessnor.client.jp/xxx_video.exe DELETED
hxxp://schoolcountthu.client.jp/xxx_video.exe DELETED
hxxp://rachaword.client.jp/xxx_video.exe DELETED
hxxp://saterdest.client.jp/xxx_video.exe DELETED
hxxp://liaschedaf.client.jp/xxx_video.exe DELETED
hxxp://terdesa.client.jp/xxx_video.exe DELETED
hxxp://visadchi.client.jp/xxx_video.exe DELETED
hxxp://neutricfer.client.jp/xxx_video.exe DELETED
hxxp://idabcoun.client.jp/xxx_video.exe DELETED
hxxp://pzigoket.client.jp/xxx_video.exe DELETED
hxxp://comvapun.client.jp/xxx_video.exe DELETED

hxxp://comdunnbeantrocart.narod.ru/xxx_video.exe INVESTIGATED/CLOSED
hxxp://racviphossotu.narod.ru/xxx_video.exe INVESTIGATED/CLOSED
hxxp://northvalgikacen.narod.ru/xxx_video.exe INVESTIGATED/CLOSED
hxxp://glitiheslynchea.narod.ru/xxx_video.exe INVESTIGATED/CLOSED
hxxp://nievialansscharen.narod.ru/xxx_video.exe INVESTIGATED/CLOSED
hxxp://brazunengavi.narod.ru/xxx_video.exe INVESTIGATED/CLOSED
hxxp://caropesiter.narod.ru/xxx_video.exe INVESTIGATED/CLOSED
hxxp://penfbaddisctranev.narod.ru/xxx_video.exe INVESTIGATED/CLOSED
hxxp://mobejustita.narod.ru/xxx_video.exe INVESTIGATED/CLOSED



Lock'Em'All URL's list at 26.01.2011
Update 28.01.2011
Due to our abuse Yandex suspended all listed below sites.

hxxp://lyudmilazhmkosomovnn.narod2.ru/xxx_video.exe
hxxp://gennadiyeimisalovuk.narod2.ru/xxx_video.exe
hxxp://efimyuyguskovshcha.narod2.ru/xxx_video.exe
hxxp://varvaraishkandinskiyf.narod2.ru/xxx_video.exe
hxxp://daniilgrkrutoyzu.narod2.ru/xxx_video.exe
hxxp://lidiyadmvitinskiyvm.narod2.ru/xxx_video.exe
hxxp://adolftsboyarinove.narod2.ru/xxx_video.exe
hxxp://stepanyggorokhovshchk.narod2.ru/xxx_video.exe
hxxp://evgeniyayaiardankinyae.narod2.ru/xxx_video.exe
hxxp://elzachabalakhnovgshch.narod2.ru/xxx_video.exe
hxxp://veronikauemagazinerga.narod2.ru/xxx_video.exe
hxxp://leonidyueenotineyu.narod2.ru/xxx_video.exe
hxxp://raisakykapitonovsshch.narod2.ru/xxx_video.exe
hxxp://oksanaerlashkinchb.narod2.ru/xxx_video.exe
hxxp://mariyakhkhblinovlb.narod2.ru/xxx_video.exe
hxxp://alangtdemenkovzl.narod2.ru/xxx_video.exe
hxxp://stellappkolomiytsevyo.narod2.ru/xxx_video.exe
hxxp://anfisayrlagutovakh.narod2.ru/xxx_video.exe
hxxp://ninatikramovai.narod2.ru/xxx_video.exe
hxxp://alisaudbaltabevbl.narod2.ru/xxx_video.exe
hxxp://angelinaeevakhrushevym.narod2.ru/xxx_video.exe
hxxp://margaritakhnbagroviyu.narod2.ru/xxx_video.exe
hxxp://azariynnbarsovzhshch.narod2.ru/xxx_video.exe
hxxp://aristarkhefmarkelovep.narod2.ru/xxx_video.exe
hxxp://yuriyshakuzkineg.narod2.ru/xxx_video.exe
hxxp://zinaidakhlzubarevoch.narod2.ru/xxx_video.exe
hxxp://petrzpkuzmichg.narod2.ru/xxx_video.exe
hxxp://olegyatlevkinzh.narod2.ru/xxx_video.exe
hxxp://valeriyashebabatoch.narod2.ru/xxx_video.exe
hxxp://timurzpkalmykovmi.narod2.ru/xxx_video.exe
hxxp://vyacheslavushchglobazh.narod2.ru/xxx_video.exe
hxxp://anastasiyayblobanrv.narod2.ru/xxx_video.exe
hxxp://ivangykoryavinmu.narod2.ru/xxx_video.exe
hxxp://adolfdenabokinyuu.narod2.ru/xxx_video.exe
hxxp://alisayuivoronkovyy.narod2.ru/xxx_video.exe
hxxp://antonshchbesfamilnovzk.narod2.ru/xxx_video.exe
hxxp://milenaesdurkinbsh.narod2.ru/xxx_video.exe
hxxp://vladimiroyaburkinyum.narod2.ru/xxx_video.exe
hxxp://fainaommikhalevsy.narod2.ru/xxx_video.exe
hxxp://sofyaechbutylinyshch.narod2.ru/xxx_video.exe
hxxp://makareebesfamilnovyab.narod2.ru/xxx_video.exe
hxxp://efimyskostinop.narod2.ru/xxx_video.exe
hxxp://antonmboldaevoo.narod2.ru/xxx_video.exe
hxxp://antoninatbbershovgi.narod2.ru/xxx_video.exe
hxxp://adamzavaluevtse.narod2.ru/xxx_video.exe
hxxp://adakhukanalinfo.narod2.ru/xxx_video.exe
hxxp://anzheyyuedagintst.narod2.ru/xxx_video.exe
hxxp://vitaliygkdemchenkogs.narod2.ru/xxx_video.exe
hxxp://eduardzhgzhurovfu.narod2.ru/xxx_video.exe
hxxp://vyacheslavpygachevyae.narod2.ru/xxx_video.exe
hxxp://daryaykarginya.narod2.ru/xxx_video.exe
hxxp://vitaliymtslapinel.narod2.ru/xxx_video.exe
hxxp://nikitatzallenoviyu.narod2.ru/xxx_video.exe
hxxp://susannayzhbarentsevuzh.narod2.ru/xxx_video.exe
hxxp://karinafmamelintl.narod2.ru/xxx_video.exe
hxxp://vladimirbsvalievpe.narod2.ru/xxx_video.exe
hxxp://valentinalykuzminykhkh.narod2.ru/xxx_video.exe
hxxp://konstantinbdkruteleve.narod2.ru/xxx_video.exe
hxxp://rimmafbanrepzy.narod2.ru/xxx_video.exe
hxxp://adolfkyuignatkovichp.narod2.ru/xxx_video.exe
hxxp://tracenin.narod.ru/xxx_video.exe
hxxp://susannafdegtinshr.narod2.ru/xxx_video.exe
hxxp://andreyshchpburyakovt.narod2.ru/xxx_video.exe
hxxp://albinapdvorobevyaa.narod2.ru/xxx_video.exe
hxxp://semenstnovikovzhkh.narod2.ru/xxx_video.exe
hxxp://valeriyaankatkiner.narod2.ru/xxx_video.exe
hxxp://petrtchignatevzd.narod2.ru/xxx_video.exe
hxxp://alevtinaulepikhovkhg.narod2.ru/xxx_video.exe
hxxp://ivettasfgorelovishch.narod2.ru/xxx_video.exe
hxxp://karinaeshchlachkovzhv.narod2.ru/xxx_video.exe
hxxp://prokhorshzmilekhintts.narod2.ru/xxx_video.exe
hxxp://alinazhmerokhinyl.narod2.ru/xxx_video.exe
hxxp://daryayarkuptsovshts.narod2.ru/xxx_video.exe
hxxp://olgaazignatenkovfl.narod2.ru/xxx_video.exe
hxxp://denisbfzhelezkinfkh.narod2.ru/xxx_video.exe
hxxp://semenspkaravaevev.narod2.ru/xxx_video.exe
hxxp://mariyapvmalakhovmy.narod2.ru/xxx_video.exe
hxxp://susannayukhmyshkinde.narod2.ru/xxx_video.exe
hxxp://gennadiybgistominfa.narod2.ru/xxx_video.exe
hxxp://elzalklomadurovlts.narod2.ru/xxx_video.exe


All these sites are duplicate. The only difference (not always) in payload Winlock.
And the only difference inside Winlock is tel numbers (string array, number selects randomly) and unblock code they have on board.
Winlock packed with UPX and protected by some crappy VB cryptor.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: Trojan Winlock / Ransom / ScreenLocker

Postby Jaxryley » Mon Nov 15, 2010 10:07 am

Two different Ransom wares that seem to be active in safemode for perusal?

Ransom Samples.rar
You do not have the required permissions to view the files attached to this post.
Jaxryley
 
Posts: 140
Joined: Mon Mar 15, 2010 7:49 am
Reputation point: 30

Re: Trojan Winlock / Ransom / ScreenLocker

Postby EP_X0FF » Mon Nov 15, 2010 10:40 am

xxx_video (2)

runs via HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit as %systemroot%\system32\usrinit.exe

Unblock key is 98673 (hardcoded inside binary).

Window specifically named.

edit:
Second is the same, just slightly changed and recrypted.

Unblock code is 123456789.

Here is unpacked for analysis.

Feel the difference in naming :)
Different naming in most cases means that original detection was based on packer layer, specific packer data.

original
http://www.virustotal.com/file-scan/rep ... 1289818885

unpacked
http://www.virustotal.com/file-scan/rep ... 1289818892
You do not have the required permissions to view the files attached to this post.
Last edited by EP_X0FF on Tue Jan 18, 2011 7:07 am, edited 1 time in total.
Reason: merged 2 my posts in one
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: Trojan Winlock / Ransom / ScreenLocker

Postby Jaxryley » Tue Nov 16, 2010 1:13 am

Thanks for testing and info EP_X0FF. 8-)

Have installed net framework into all my XP VM's as it's annoying when any malware won't run if it's missing. LOL :twisted:
Jaxryley
 
Posts: 140
Joined: Mon Mar 15, 2010 7:49 am
Reputation point: 30

Re: Trojan Winlock / Ransom / ScreenLocker

Postby nullptr » Tue Nov 16, 2010 4:45 pm

EP_X0FF wrote:Second is the same, just slightly changed and recrypted.

Here is unpacked for analysis.

Any hints on how you were able to unpack this vb crap would be most appreciated. :)
nullptr
 
Posts: 210
Joined: Sun Mar 14, 2010 6:35 am
Reputation point: 100

Re: Trojan Winlock / Ransom / ScreenLocker

Postby EP_X0FF » Tue Nov 16, 2010 4:53 pm

Already deleted all stuff. In short - traced a little in debugger, dumped, fixed sections + import recovery, resource rebuild. Don't remember exactly but one of these samples was additionally packed with PECompact.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: Trojan Winlock / Ransom / ScreenLocker

Postby EP_X0FF » Tue Nov 30, 2010 1:06 pm

Similar to this viewtopic.php?p=3496#p3496

Unblock key is 5590114

Both original and unpacked attached.

http://www.virustotal.com/file-scan/rep ... 1291122505
http://www.virustotal.com/file-scan/rep ... 1291122509

edit:

Another variant of the same trash. Seems to be they only recrypt and change unblock key.

Source hxxp://z.emozgetcherez.ru/xxx_video.exe (81.177.6.6) Server producing updated executables almost every day for a long time.

Unblock key is 9208841

http://www.virustotal.com/file-scan/report.html?id=7237887d1c4221a9f2847dc0aa9510e95f762eb4a70a9dc366f2c14f288ce110-1291539640
You do not have the required permissions to view the files attached to this post.
Last edited by EP_X0FF on Tue Jan 18, 2011 7:08 am, edited 1 time in total.
Reason: merged 2 my posts in one
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: Trojan Winlock / Ransom / ScreenLocker

Postby nullptr » Thu Dec 09, 2010 1:14 pm

As above, the same vb crypter
MD5 : 5aef3c0aa8a55a94e58f57bc509ca6bc
SHA1 : 05146156ac61e17bdeb1c45baf60e46e39798a87

original - http://www.virustotal.com/file-scan/rep ... 1291853823 - 29/43

unpacked - http://www.virustotal.com/file-scan/rep ... 1291899671 - 24/42

original file, unpacked and unlock code attached.
You do not have the required permissions to view the files attached to this post.
nullptr
 
Posts: 210
Joined: Sun Mar 14, 2010 6:35 am
Reputation point: 100

Re: Trojan Winlock / Ransom / ScreenLocker

Postby EP_X0FF » Sat Jan 15, 2011 10:05 am

xxx_video is back, kiddies switched hosting (previous was suspended).

Unblock key 90650231

source hxxp://ruvipxxxa.ru/x/xxx_video.exe

kiddies are very productive, so probably new rebuild with new key will be released maybe even today

http://www.virustotal.com/file-scan/report.html?id=32e3b0eabd4d5572482f50e2ca63ab55ba2335afff2dd3459c7c53b42cb93c16-1293121465

Image

edit:

Winlock "Lock Em All"

Unblock key 80633210

Source hxxp://lectfenu.narod.ru/xxx_video.exe
Could be more in near future with different unblock codes.

And the name of Script Kiddie - Anton.

file://localhost/C:/Documents and Settings/anton/Рабочий стол/шаблон/Новая папка/Бесплатное видео - Видео для взрослых онлайн бесплатно, порно онлайн, секс онлайн.htm


Lock Em All (from "KissMyAss")

http://www.virustotal.com/file-scan/report.html?id=66a221e59df637f84ab13b4d493726597c106704e6c4bc21a7e325f48ed83acd-1294828843

Tel to call
8-965-410-18-28
8-965-265-90-43
8-965-349-54-86
8-964-726-13-05
8-962-932-68-24
8-962-932-61-98
8-962-946-59-35
8-965-397-97-74
8-965-368-62-83
8-962-932-86-59
8-964-776-85-38
8-965-340-45-23
8-965-391-93-23
8-965-397-55-37
8-903-203-15-06
8-903-202-97-76
8-965-350-76-13
8-965-265-91-09
8-965-397-97-53
8-903-202-89-00


Unblock code 8893020

Source hxxp://adolfkyuignatkovichp.narod2.ru/xxx_video.exe

edit0:

Lock Em All from "KissMyAss"

http://www.virustotal.com/file-scan/report.html?id=daff754981de23ec2faba37010d0cf428ee6041788454b95a0ba0159cb0e5709-1295082352

Tel to call
8-903-103-26-31
8-965-368-63-07
8-965-375-16-52
8-967-139-46-77
8-963-636-71-70
8-963-724-50-69
8-965-211-05-09
8-963-724-50-56
8-965-375-25-31
8-963-625-39-08
8-965-368-63-00
8-965-375-21-68
8-965-397-54-82
8-963-725-38-59
8-903-574-51-80
8-903-103-23-52
8-963-725-38-62
8-903-285-65-21
8-905-530-49-67
8-903-556-34-49
8-965-211-04-94
8-962-936-40-57
8-965-376-02-84
8-964-724-16-09
8-903-574-49-86
8-903-285-67-59
8-965-397-54-80
8-963-625-39-16
8-903-103-23-74
8-963-724-50-49
8-963-724-65-42
8-906-047-90-95
8-903-668-87-62
8-906-047-88-35
8-903-668-87-74
8-903-668-88-43
8-964-595-72-90
8-964-531-80-84
8-964-531-91-71
8-964-532-24-53
8-964-532-26-61
8-964-531-41-26
8-964-531-54-61
8-967-091-89-04
8-964-531-07-52


Unblock key 773020547

Source hxxp://eduardzhgzhurovfu.narod2.ru/xxx_video.exe

edit1:

Lock Em All

http://www.virustotal.com/file-scan/report.html?id=c7a2b1fa119852cd1f2901fa84309378a68767ac92037cbea3a3ceda2ae37db8-1295084919

8-903-534-67-60
8-903-534-65-94
8-903-534-65-29
8-963-630-60-12
8-903-238-39-66
8-903-238-29-61
8-903-238-39-94
8-903-238-40-02
8-903-238-39-65
8-903-238-39-86
8-965-376-97-17
8-965-377-67-34
8-965-376-01-37
8-965-377-16-21
8-965-377-03-80
8-965-376-99-18
8-965-376-98-45
8-965-377-15-93
8-965-377-16-20
8-963-661-50-54
8-963-661-49-45
8-963-661-48-85
8-965-377-12-43
8-965-376-16-71
8-965-376-17-61
8-965-377-20-47
8-965-376-18-33
8-965-376-18-91
8-965-377-20-80
8-965-376-07-88
8-962-970-87-45
8-962-970-87-73
8-965-377-74-52
8-965-377-77-24
8-963-635-28-22
8-963-635-28-51
8-963-635-28-57
8-963-635-28-59
8-963-635-28-34
8-963-635-28-12
8-963-635-28-11
8-963-635-28-04


Unblock key 8863314

Source hxxp://daryaykarginya.narod2.ru/xxx_video.exe

edit2:

Lock Em All

http://www.virustotal.com/file-scan/report.html?id=23101795e51dca4fae108fc7b95ec0e80a9f3a98eb05f2a0a6503f284613a66b-1295085416

8-965-389-00-51
8-962-932-61-89
8-964-779-40-31
8-965-388-99-85
8-964-726-14-54
8-962-932-62-63
8-965-375-17-90
8-964-779-40-64
8-962-941-31-47
8-965-391-94-21
8-965-397-56-81
8-962-932-62-54
8-903-202-60-12
8-964-779-01-49
8-962-932-68-22
8-965-410-19-37
8-965-137-20-55
8-903-285-69-46
8-965-410-19-23
8-965-251-57-76
8-965-397-56-62
8-965-388-99-87
8-965-312-84-68
8-962-941-15-84
8-965-410-19-35
8-962-941-30-77
8-965-339-50-51
8-965-391-93-45
8-965-375-17-87
8-963-724-50-57
8-965-375-98-31
8-965-350-73-26
8-903-103-16-44
8-965-397-54-78
8-963-724-64-76
8-962-946-59-36
8-965-340-45-38
8-965-375-97-44
8-962-936-39-85
8-963-724-65-76


Unblock key 103999551

Source hxxp://vitaliymtslapinel.narod2.ru/xxx_video.exe

Sample similar to previously attached (only tel/unblock is different) so no sense to attach it again.

Lock Em All

http://www.virustotal.com/file-scan/report.html?id=0e64ef9a7cc65d70dbee6241a2c145bcc659cc87789203c8c33ca3066b9f79b6-1295085762

Tel to call

8-903-534-67-60
8-903-534-65-94
8-903-534-65-29
8-963-630-60-12
8-903-238-39-66
8-903-238-29-61
8-903-238-39-94
8-903-238-40-02
8-903-238-39-65
8-903-238-39-86
8-965-376-97-17
8-965-377-67-34
8-965-376-01-37
8-965-377-16-21
8-965-377-03-80
8-965-376-99-18
8-965-376-98-45
8-965-377-15-93
8-965-377-16-20
8-963-661-50-54
8-963-661-49-45
8-963-661-48-85
8-965-377-12-43
8-965-376-16-71
8-965-376-17-61
8-965-377-20-47
8-965-376-18-33
8-965-376-18-91
8-965-377-20-80
8-965-376-07-88
8-962-970-87-45
8-962-970-87-73
8-965-377-74-52
8-965-377-77-24
8-963-635-28-22
8-963-635-28-51
8-963-635-28-57
8-963-635-28-59
8-963-635-28-34
8-963-635-28-12
8-963-635-28-11
8-963-635-28-04


Unblock key 8863314

Source hxxp://antonmboldaevoo.narod2.ru/xxx_video.exe

edit:

Lock Em All

http://www.virustotal.com/file-scan/report.html?id=988b5ae288e12f8b62aeab71adaa9dd254834fc6b3b85dbbe419bf887715ddc5-1295086272

8-906-096-84-30
8-906-096-84-29
8-906-096-84-19
8-906-096-83-99
8-906-096-83-93
8-906-096-83-57
8-906-096-83-12
8-906-096-82-96
8-906-096-82-83
8-906-096-82-71
8-906-096-81-89
8-906-096-80-85
8-906-096-80-35
8-906-096-98-14
8-906-096-97-82
8-906-096-97-55
8-906-096-79-98
8-906-096-79-82
8-906-096-79-25
8-906-096-75-90
8-906-096-76-27
8-906-096-76-28
8-906-096-99-02
8-906-096-98-95
8-906-096-98-84
8-906-096-98-90
8-906-096-98-82
8-906-096-98-79
8-906-096-98-72
8-906-096-98-66
8-906-096-98-56
8-906-096-98-54
8-906-096-98-29
8-906-096-98-28
8-906-097-10-74
8-906-097-10-79
8-906-097-10-80
8-906-097-11-20
8-906-097-11-24
8-906-097-11-26
8-963-662-94-73
8-963-662-96-33
8-963-662-97-22
8-963-662-97-67
8-963-661-73-04
8-963-661-74-91
8-963-661-75-54
8-963-661-47-55
8-963-661-47-26
8-963-661-79-03
8-963-661-75-91
8-963-661-47-99
8-963-661-55-61
8-963-661-55-01
8-963-661-53-94
8-963-661-53-84
8-963-661-53-48
8-963-661-79-90


Unblock key 8059632

Source hxxp://adakhukanalinfo.narod2.ru/xxx_video.exe

edit2:

Lock Em All

http://www.virustotal.com/file-scan/report.html?id=af38e24712e14d980db08b9829f3c446c28a91e4826780b43843db252c8dcdf9-1295086626

8-962-941-15-40
8-903-285-68-01
8-964-779-37-22
8-965-312-83-42
8-962-941-30-63
8-965-312-84-15
8-963-625-39-03
8-962-931-07-78
8-965-250-84-46
8-965-388-99-89
8-965-312-83-44
8-965-410-19-34
8-962-932-62-57
8-964-779-39-58
8-965-410-18-22
8-965-375-03-73
8-964-724-13-69
8-965-312-83-36
8-965-251-80-42
8-964-779-37-53
8-965-143-89-16
8-962-941-33-39
8-964-726-14-72
8-962-932-68-08
8-965-347-15-37
8-903-202-59-65
8-964-726-13-07
8-965-350-73-72
8-965-397-56-83
8-962-932-61-95
8-962-945-64-62
8-965-389-00-56
8-964-726-14-49
8-965-397-56-29
8-903-203-02-66
8-962-941-33-47
8-964-726-14-47
8-965-143-85-74
8-965-340-45-24
8-965-410-17-46


Unblock key 36420102

Source hxxp://milenaesdurkinbsh.narod2.ru/xxx_video.exe

http://www.virustotal.com/file-scan/report.html?id=3f385e25c32452b1b83b72ee45ef4b5c4c5ff5d19c1932fc1c2cdfab5b83d035-1295087300

Tel to call

8-965-388-99-52
8-903-202-98-47
8-903-202-98-86
8-965-388-99-24
8-964-778-59-57
8-962-932-66-39
8-962-932-66-42
8-965-287-06-75
8-965-287-06-87
8-903-202-99-12
8-965-388-99-61
8-965-388-99-57
8-965-388-99-58
8-962-932-66-37
8-962-941-11-05


Unblock key 8875510

Source hxxp://anzheyyuedagintst.narod2.ru/xxx_video.exe


http://www.virustotal.com/file-scan/report.html?id=bfe0973d645dc87a811fb66e90fed9e29f5cd001a656821bf370a5bf32b63a61-1295181998
http://www.virustotal.com/file-scan/report.html?id=12636735b6f5c3b2a2338b2360e90995a2625c8f1032bfc55ef4bb0c97623cb8-1295182910

Tel to call

8-965-377-73-10
8-965-377-71-60
8-965-377-68-65
8-964-539-49-65
8-964-539-49-71
8-964-539-49-93
8-964-539-35-10
8-964-539-35-18
8-964-539-36-09
8-964-539-42-00
8-964-539-43-11
8-964-537-59-60
8-964-539-14-87
8-964-539-16-60
8-965-376-16-41
8-965-376-13-16
8-965-376-10-17
8-965-376-09-85
8-965-376-08-42


Unblock key 33920504

Source hxxp://fainaommikhalevsy.narod2.ru/xxx_video.exe
Source hxxp://efimyskostinop.narod2.ru/xxx_video.exe

edit:

Lock Em All (very hot, compiled is about 2 hours ago with Visual Studio runtime, so it won't work without 2008 runtime, some sort of fail)

http://www.virustotal.com/file-scan/report.html?id=140611a27fa050f80c7656ac2be5efd30d81307d3124d31cf6215edc40548b6f-1295182492

Tel to call

8-906-096-62-03
8-906-096-62-16
8-906-096-86-12
8-906-096-62-27
8-906-096-85-99
8-906-096-69-53
8-906-096-69-33
8-906-096-68-09
8-906-096-67-99
8-906-096-67-45
8-906-096-67-27
8-906-096-66-84
8-906-096-66-25
8-906-096-65-66
8-906-096-65-82
8-906-096-65-50
8-906-096-64-80
8-906-096-64-58
8-906-096-64-45
8-906-096-63-87
8-965-378-09-91
8-967-151-52-77
8-967-151-52-78
8-965-357-85-36
8-965-357-87-73
8-965-378-18-29
8-965-378-18-24
8-965-378-18-23
8-965-378-16-91
8-965-378-16-63
8-965-378-16-55
8-965-378-15-68
8-965-378-11-45
8-965-378-13-00


Unblock key 00059070

Source hxxp://vladimirbsvalievpe.narod2.ru/xxx_video.exe

edit2:

Lock Em All

http://www.virustotal.com/file-scan/report.html?id=4876a3ade1ef15456fbb022cc1a82cac6546c1f1ee2dbe5162f731774575a917-1295183328

Tel to call

8-909-650-39-36
8-909-650-39-37
8-909-650-42-51
8-909-650-42-40
8-909-650-42-14
8-909-650-42-11
8-909-650-42-02
8-909-650-41-87
8-909-650-41-68
8-909-650-41-64
8-909-650-41-57
8-909-650-41-49
8-909-650-44-70
8-909-650-44-60
8-906-097-14-42
8-906-097-14-25
8-906-097-14-09
8-906-097-13-94
8-906-097-13-93
8-906-097-13-91
8-903-202-97-53
8-903-203-11-79
8-965-410-17-38
8-965-340-45-32
8-965-265-90-20


Unblock key 99105784

Source hxxp://antoninatbbershovgi.narod2.ru/xxx_video.exe
Last edited by EP_X0FF on Fri Feb 04, 2011 6:09 am, edited 5 times in total.
Reason: edit, merged my own posts in one
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: Trojan Winlock / Ransom / ScreenLocker

Postby Xylitol » Mon Jan 17, 2011 7:43 am

xxx_video.exe
Number to Call: 8-903-534-68-77 ~ 89035346877
Code to unlock Windows: 18203478

Image

Image

sources:
Code: Select all
hxxp://susannafdegtinshr.narod2.ru/
hxxp://andreyshchpburyakovt.narod2.ru/
hxxp://albinapdvorobevyaa.narod2.ru/


also a domain not noticed:
Code: Select all
hxxp://semenstnovikovzhkh.narod2.ru/
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1642
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 504

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 10 guests