Trojan.Winlock - Pornoblocker

Forum for analysis and discussion about malware.

Trojan.Winlock - Pornoblocker

Postby EP_X0FF » Sat Jan 15, 2011 6:12 pm

Written on Delphi, scrambled UPX (sometimes used PECompact, UPX + VB cryptor in later versions).

Kinda idiotic locker, because it's virtual keyboard does not allows to user enter non numeric chars, while unblock key is word not digits.

Comes from pornosites, as Flash Player update. This locker constantly updates, but only tel numbers and unblock code changes.

Runs through HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell, replacing original Explorer.exe entry
File location depends on where executable was stored by browser while downloading.

Image

Tel to call (stored into TMemo.Lines, even pascal arrays are quite difficult to these locker authors)

8-967-268-34-67
8-965-340-10-22
8-903-137-30-91
8-964-628-99-74
8-965-319-29-91
8-905-508-40-05
8-905-777-80-94
8-962-962-59-67
8-965-391-96-82
8-906-741-18-39



Unblock key lord

Image

To enter unblock code user needs to do some additional steps. For example execute Win Run command, type "lord", then Ctrl+A, then Ctrl+C and finally Ctrl+V to locker input window.

Reversed design mode
Image

In attach both original and unpacked binaries.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: Trojan Winlock / Ransom / ScreenLocker

Postby EP_X0FF » Fri Jan 21, 2011 10:02 am

This one updated.

http://www.virustotal.com/file-scan/report.html?id=b798656c8a35f46ab94f30b1bf572f3e574b73ed127fa969d3d8ce41b081ed25-1295604135

Tel to call

8-965-338-65-16
8-962-931-00-24
8-964-723-83-28
8-965-315-86-61
8-965-283-27-47
8-903-518-01-27
8-903-965-86-77
8-965-241-69-75
8-965-266-43-65
8-906-741-24-31


Unblock key poputal

Source hxxp://telki-best.ru/flash_player.exe

8-965-180-38-54
8-965-361-16-43
8-967-256-08-89
8-963-666-86-02
8-965-148-91-31
8-967-256-01-18
8-909-649-98-60
8-905-546-02-30
8-965-210-62-93
8-903-243-51-31


Unblock key poputalda

Source hxxp://tut-ok.ru/flash_player.exe
Last edited by EP_X0FF on Sat Jan 22, 2011 7:37 am, edited 2 times in total.
Reason: edit
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: Trojan Winlock / Ransom / ScreenLocker

Postby Xylitol » Fri Jan 21, 2011 10:24 am

someone have sent me this sample by mail yesterday, the number was 8-903-965-86-77
Image
Image

Image

anyway ~ xxx_video_52974.avi.exe.vir
Image
attached.
http://www.virustotal.com/file-scan/rep ... 1295594176
You do not have the required permissions to view the files attached to this post.
Last edited by EP_X0FF on Sat Feb 05, 2011 3:27 pm, edited 2 times in total.
Reason: edit: resized images
User avatar
Xylitol
Global Moderator
 
Posts: 1642
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 504

Re: Trojan Winlock / Ransom / ScreenLocker

Postby Xylitol » Tue Feb 01, 2011 1:30 pm

You do not have the required permissions to view the files attached to this post.
Last edited by EP_X0FF on Sat Feb 05, 2011 3:23 pm, edited 1 time in total.
Reason: edit: resized images
User avatar
Xylitol
Global Moderator
 
Posts: 1642
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 504

Re: Trojan Winlock / Ransom / ScreenLocker

Postby Xylitol » Wed Feb 02, 2011 1:13 pm

You do not have the required permissions to view the files attached to this post.
Last edited by EP_X0FF on Sat Feb 05, 2011 3:26 pm, edited 1 time in total.
Reason: edit: resized images
User avatar
Xylitol
Global Moderator
 
Posts: 1642
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 504

Re: Trojan Winlock / Ransom / ScreenLocker

Postby Xylitol » Thu Feb 03, 2011 1:36 pm

You do not have the required permissions to view the files attached to this post.
Last edited by EP_X0FF on Sat Feb 05, 2011 3:28 pm, edited 1 time in total.
Reason: edit: resized images
User avatar
Xylitol
Global Moderator
 
Posts: 1642
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 504

Re: Trojan Winlock / Ransom / ScreenLocker

Postby Xylitol » Fri Feb 04, 2011 10:22 am

You do not have the required permissions to view the files attached to this post.
Last edited by EP_X0FF on Sat Feb 05, 2011 3:30 pm, edited 1 time in total.
Reason: edit: resized images
User avatar
Xylitol
Global Moderator
 
Posts: 1642
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 504

Re: Trojan Winlock / Ransom / ScreenLocker

Postby Xylitol » Sat Feb 05, 2011 2:04 pm

new loc:
hXXp://milaya.mcdir.ru/flash_player.exe

Image
Code to unlock Windows: izvini
You do not have the required permissions to view the files attached to this post.
Last edited by EP_X0FF on Sat Feb 05, 2011 3:43 pm, edited 1 time in total.
Reason: edit: resized images
User avatar
Xylitol
Global Moderator
 
Posts: 1642
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 504

Thread description

Postby EP_X0FF » Sat Feb 05, 2011 3:34 pm

This thread is result of Trojan Winlock / Ransom / ScreenLocker split.
Images with Winlocks resized to be more accurate.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: Trojan.Winlock - Pornoblocker

Postby Xylitol » Sat Feb 05, 2011 7:19 pm

new loc: hXXp://usarfor.narod.ru/xxx_video.exe
Code to unlock Windows: 70000004

basic unpacking schem of flash_player (not upx, the crap after):
Code: Select all
BP -> 00440766 - C3 - RETN ;Return to 003D08DD
(CALL EAX before normally for VirtualAlloc)
F9
Breaked
F7
BP -> 003D1044 - C3 - RETN ;Return to 7C91D370 (ntdll.ZwFreeVirtualMemory)
F9
Breaked
F7
BP -> 0055D472 - FFE0 - JMP EAX ;EAX=0048078C (xxx_vide.0048078C)
F9
Shift+F9 if problem
Breaked
F7 & dump
After fix the sections and the stuff.



Image
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1642
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 504

Next

Return to Malware

Who is online

Users browsing this forum: Ludvig and 15 guests