KernelMode.info

[EP_X0FF]

This thread contains samples that belongs to same group and distributing as "porno player". Locker named winAD, because of about box resource which present in both types.

It is BlueTrash



and Homoblocker



Unblock codes and tel numbers stored inside executables. They do not use cryptor but Winlock code constantly morphing trying to break antivirus signatures.

EDIT: 05 July 2011

Starting from the May 2011 WinAD evolved in Porno-Rolik ransomware. See page 9.



Overall working scheme still the same - hardcoded unblock code, constant updates to break AV signatures detection. With porno-rolik version authors started using Mystic Compressor / VBCrypt.

/*original message below*/

Dropper packed with UPX.
Extracts payload Winlock executable to Documents and Settings\UserName\[Digits]\[Digits].exe

Runs through HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit .

Unblock key EYE OF NEWT, stored as UNICODE.



In attach Winlock executable extracted from dropper.
http://www.virustotal.com/file-scan/rep ... 1290596918

[EP_X0FF]

Dropper installs stuff and immediately reboots victim computer. After reboot system locked by payload.

Unblock key "SORRY" (w/o quotes)

Unpacked stuff in attach.

http://www.virustotal.com/file-scan/report.html?id=54471901a641ba6865d525ff58fb4d6f44c3458566e9c5e59686ea8bdc7b2c4f-1292510879
http://www.virustotal.com/file-scan/report.html?id=f85e235c367b3cb9a88aa5beba726ab1ed9ad270e9f7bef3ce4abad6f01cc9b0-1292511246

note: 101.dll is actual Winlock executable.

[nullptr]

kiddies are very productive, so probably new rebuild with new key will be released maybe even today

Maybe even find a new packer, though FSG was a giant leap forward. lol

Code: Select all

00401382   PUSH junk.0040402C              ; String2 = "90650231"
00401387   PUSH junk.00407088              ; String1 = "C"
0040138C   CALL <JMP.&kernel32.lstrcmp>    ; lstrcmpA


*edit*

Another pornoplayer release.

Code: Select all

00401AA0                 lea     edx, [ebp+psz2]
00401AA6                 push    edx               ; psz2
00401AA7                 push    offset psz1       ; "WARCRAFT"
00401AAC                 call    ebx               ; StrCmpW


[Jaxryley]

Hi nullptr, if I run your sample via Sandboxie it doesn't seem to do anything.

Exploring the sandbox I find a dropped 2503326475.exe which if run sandboxed then locks the screen up.
2503326475.exe - 1/43 - NOD32 - a variant of Win32/LockScreen.AAJ - MD5 : 043ede36f50bf967680bf7a755e1d696
http://www.virustotal.com/file-scan/rep ... 1293193376

2503326475.rar

[nullptr]

The pornoplayer sample just drops the binary that is embedded in its resources, writes the userinit entry so it starts with windows and then reboots the computer.
So it's likely that Sandboxie now blocks any ExitWindowsEx(...) call.

[Buster_BSA]

The pornoplayer sample just drops the binary that is embedded in its resources, writes the userinit entry so it starts with windows and then reboots the computer.
So it's likely that Sandboxie now blocks any ExitWindowsEx(...) call.

That´s right. Sandboxie blocks any attempt of reboot or shut down.

[Xylitol]

i work alot on pornoplayer and the reboot feature his new and not obly that now there is also two way for activate it..

like this one:


and the old method in a old sample: http://www.youtube.com/watch?v=KGEeHsX8emY

my pornoplayer archive: http://xylibox.blogspot.com/2010/12/tro ... xe_24.html
(29 Nov 2k10) ~ (5 Dec 2k10) ~ (14 Dec 2k10) ~ (17 Dec 2k10) ~ (23 Dec 2k10) ~ (23 Dec 2k10) ~ (24 Dec 2k10)

[EP_X0FF]

Thanks for info Xylitol.

Here is another locker from different kiddies.



101 is actual Winlock file.

Source hxxp://goodpornonline.info/wd5o6os5pt8bd5r99ehj4j2eqeev8ky2/pornoplayer.exe (could be updates)

Unblock key is DIGGER



http://www.virustotal.com/file-scan/report.html?id=5f17eede40729865842e132fcc1fd6b61750d747780d518273ab0425bd127275-1293463061
http://www.virustotal.com/file-scan/report.html?id=77d6ed4d0725605a29607062512e11afb1c9046f96ba3dc8ce39786c9efd3a98-1293462878

[Xylitol]

yeah i've see this also today
here is the passwords history about the pornoplayer:
"SORRY" - "WARCRAFT" and now "DIGGER"
and there is a new "Lock Em All" variante (not analyzed yet but that seem the same packer in vb)
edit: hmm nop not possible there is 3 different custom packer on it...

[gigaz]

Trojan-Ransom.Win32.HmBlocker.aao (20/43)
http://www.virustotal.com/file-scan/report.html?id=6719f6e9d81cd6c712b113ea9f6a69284f6966b2394ed7d30ed1df62c8a5db74-1293474268