Trojan WinAD (alias Ransom.ER, Winlock, Win32.Timer)

Forum for analysis and discussion about malware.

Trojan WinAD (alias Ransom.ER, Winlock, Win32.Timer)

Postby EP_X0FF » Wed Nov 24, 2010 11:09 am

This thread contains samples that belongs to same group and distributing as "porno player". Locker named winAD, because of about box resource which present in both types.

It is BlueTrash

Image

and Homoblocker

Image

Unblock codes and tel numbers stored inside executables. They do not use cryptor but Winlock code constantly morphing trying to break antivirus signatures.

EDIT: 05 July 2011

Starting from the May 2011 WinAD evolved in Porno-Rolik ransomware. See page 9.

Image

Overall working scheme still the same - hardcoded unblock code, constant updates to break AV signatures detection. With porno-rolik version authors started using Mystic Compressor / VBCrypt.

/*original message below*/

Dropper packed with UPX.
Extracts payload Winlock executable to Documents and Settings\UserName\[Digits]\[Digits].exe

Runs through HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit .

Unblock key EYE OF NEWT, stored as UNICODE.

Image

In attach Winlock executable extracted from dropper.
http://www.virustotal.com/file-scan/rep ... 1290596918
You do not have the required permissions to view the files attached to this post.
Last edited by EP_X0FF on Sun Sep 18, 2011 12:20 am, edited 11 times in total.
Reason: edit
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 3806
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 457

Re: Trojan Winlock / Ransom / ScreenLocker

Postby EP_X0FF » Thu Dec 16, 2010 3:00 pm

Dropper installs stuff and immediately reboots victim computer. After reboot system locked by payload.

Unblock key "SORRY" (w/o quotes)

Unpacked stuff in attach.

http://www.virustotal.com/file-scan/report.html?id=54471901a641ba6865d525ff58fb4d6f44c3458566e9c5e59686ea8bdc7b2c4f-1292510879
http://www.virustotal.com/file-scan/report.html?id=f85e235c367b3cb9a88aa5beba726ab1ed9ad270e9f7bef3ce4abad6f01cc9b0-1292511246

note: 101.dll is actual Winlock executable.

Image
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 3806
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 457

Re: Trojan Winlock / Ransom / ScreenLocker

Postby nullptr » Fri Dec 24, 2010 5:50 am

EP_X0FF wrote:kiddies are very productive, so probably new rebuild with new key will be released maybe even today

Maybe even find a new packer, though FSG was a giant leap forward. lol
Code: Select all
00401382   PUSH junk.0040402C              ; String2 = "90650231"
00401387   PUSH junk.00407088              ; String1 = "C"
0040138C   CALL <JMP.&kernel32.lstrcmp>    ; lstrcmpA


*edit*

Another pornoplayer release.
Code: Select all
00401AA0                 lea     edx, [ebp+psz2]
00401AA6                 push    edx               ; psz2
00401AA7                 push    offset psz1       ; "WARCRAFT"
00401AAC                 call    ebx               ; StrCmpW
You do not have the required permissions to view the files attached to this post.
nullptr
 
Posts: 196
Joined: Sun Mar 14, 2010 6:35 am
Reputation point: 97

Re: Trojan Winlock / Ransom / ScreenLocker

Postby Jaxryley » Fri Dec 24, 2010 12:24 pm

Hi nullptr, if I run your sample via Sandboxie it doesn't seem to do anything.

Exploring the sandbox I find a dropped 2503326475.exe which if run sandboxed then locks the screen up.
2503326475.exe - 1/43 - NOD32 - a variant of Win32/LockScreen.AAJ - MD5 : 043ede36f50bf967680bf7a755e1d696
http://www.virustotal.com/file-scan/rep ... 1293193376

2503326475.rar
You do not have the required permissions to view the files attached to this post.
Jaxryley
 
Posts: 140
Joined: Mon Mar 15, 2010 7:49 am
Reputation point: 30

Re: Trojan Winlock / Ransom / ScreenLocker

Postby nullptr » Fri Dec 24, 2010 1:41 pm

The pornoplayer sample just drops the binary that is embedded in its resources, writes the userinit entry so it starts with windows and then reboots the computer.
So it's likely that Sandboxie now blocks any ExitWindowsEx(...) call.
nullptr
 
Posts: 196
Joined: Sun Mar 14, 2010 6:35 am
Reputation point: 97

Re: Trojan Winlock / Ransom / ScreenLocker

Postby Buster_BSA » Sun Dec 26, 2010 11:19 am

nullptr wrote:The pornoplayer sample just drops the binary that is embedded in its resources, writes the userinit entry so it starts with windows and then reboots the computer.
So it's likely that Sandboxie now blocks any ExitWindowsEx(...) call.


That´s right. Sandboxie blocks any attempt of reboot or shut down.
User avatar
Buster_BSA
 
Posts: 372
Joined: Mon Mar 22, 2010 6:42 am
Reputation point: 35

Re: Trojan Winlock / Ransom / ScreenLocker

Postby Xylitol » Mon Dec 27, 2010 11:04 am

i work alot on pornoplayer and the reboot feature his new and not obly that now there is also two way for activate it..

like this one:
Image

and the old method in a old sample: http://www.youtube.com/watch?v=KGEeHsX8emY

my pornoplayer archive: http://xylibox.blogspot.com/2010/12/tro ... xe_24.html
(29 Nov 2k10) ~ (5 Dec 2k10) ~ (14 Dec 2k10) ~ (17 Dec 2k10) ~ (23 Dec 2k10) ~ (23 Dec 2k10) ~ (24 Dec 2k10)
User avatar
Xylitol
Global Moderator
 
Posts: 1409
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 419

Re: Trojan Winlock / Ransom / ScreenLocker

Postby EP_X0FF » Mon Dec 27, 2010 3:22 pm

Thanks for info Xylitol.

Here is another locker from different kiddies.

Image

101 is actual Winlock file.

Source hxxp://goodpornonline.info/wd5o6os5pt8bd5r99ehj4j2eqeev8ky2/pornoplayer.exe (could be updates)

Unblock key is DIGGER

Image

http://www.virustotal.com/file-scan/report.html?id=5f17eede40729865842e132fcc1fd6b61750d747780d518273ab0425bd127275-1293463061
http://www.virustotal.com/file-scan/report.html?id=77d6ed4d0725605a29607062512e11afb1c9046f96ba3dc8ce39786c9efd3a98-1293462878
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 3806
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 457

Re: Trojan Winlock / Ransom / ScreenLocker

Postby Xylitol » Mon Dec 27, 2010 6:08 pm

yeah i've see this also today
here is the passwords history about the pornoplayer:
"SORRY" - "WARCRAFT" and now "DIGGER"
and there is a new "Lock Em All" variante (not analyzed yet but that seem the same packer in vb)
edit: hmm nop not possible there is 3 different custom packer on it...
Last edited by Xylitol on Mon Dec 27, 2010 6:33 pm, edited 1 time in total.
User avatar
Xylitol
Global Moderator
 
Posts: 1409
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 419

Re: Trojan Winlock / Ransom / ScreenLocker

Postby gigaz » Mon Dec 27, 2010 6:28 pm

You do not have the required permissions to view the files attached to this post.
gigaz
 
Posts: 14
Joined: Sat Aug 14, 2010 10:57 am
Reputation point: 12

Next

Return to Malware

Who is online

Users browsing this forum: killerbug2000 and 6 guests