Trojan.Winlock - Pornoblocker

Forum for analysis and discussion about malware.
User avatar
EP_X0FF
Global Moderator
Posts: 4775
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Trojan.Winlock - Pornoblocker

Post by EP_X0FF » Sat Jan 15, 2011 6:12 pm

Written on Delphi, scrambled UPX (sometimes used PECompact, UPX + VB cryptor in later versions).

Kinda idiotic locker, because it's virtual keyboard does not allows to user enter non numeric chars, while unblock key is word not digits.

Comes from pornosites, as Flash Player update. This locker constantly updates, but only tel numbers and unblock code changes.

Runs through HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell, replacing original Explorer.exe entry
File location depends on where executable was stored by browser while downloading.

Image

Tel to call (stored into TMemo.Lines, even pascal arrays are quite difficult to these locker authors)
8-967-268-34-67
8-965-340-10-22
8-903-137-30-91
8-964-628-99-74
8-965-319-29-91
8-905-508-40-05
8-905-777-80-94
8-962-962-59-67
8-965-391-96-82
8-906-741-18-39

Unblock key lord

Image

To enter unblock code user needs to do some additional steps. For example execute Win Run command, type "lord", then Ctrl+A, then Ctrl+C and finally Ctrl+V to locker input window.

Reversed design mode
Image

In attach both original and unpacked binaries.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

User avatar
EP_X0FF
Global Moderator
Posts: 4775
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Trojan Winlock / Ransom / ScreenLocker

Post by EP_X0FF » Fri Jan 21, 2011 10:02 am

This one updated.

http://www.virustotal.com/file-scan/rep ... 1295604135

Tel to call
8-965-338-65-16
8-962-931-00-24
8-964-723-83-28
8-965-315-86-61
8-965-283-27-47
8-903-518-01-27
8-903-965-86-77
8-965-241-69-75
8-965-266-43-65
8-906-741-24-31
Unblock key poputal

Source hxxp://telki-best.ru/flash_player.exe
8-965-180-38-54
8-965-361-16-43
8-967-256-08-89
8-963-666-86-02
8-965-148-91-31
8-967-256-01-18
8-909-649-98-60
8-905-546-02-30
8-965-210-62-93
8-903-243-51-31
Unblock key poputalda

Source hxxp://tut-ok.ru/flash_player.exe
Last edited by EP_X0FF on Sat Jan 22, 2011 7:37 am, edited 2 times in total.
Reason: edit
Ring0 - the source of inspiration

User avatar
Xylitol
Global Moderator
Posts: 1652
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Trojan Winlock / Ransom / ScreenLocker

Post by Xylitol » Fri Jan 21, 2011 10:24 am

someone have sent me this sample by mail yesterday, the number was 8-903-965-86-77
Image
Image

Image

anyway ~ xxx_video_52974.avi.exe.vir
Image
attached.
http://www.virustotal.com/file-scan/rep ... 1295594176
You do not have the required permissions to view the files attached to this post.
Last edited by EP_X0FF on Sat Feb 05, 2011 3:27 pm, edited 2 times in total.
Reason: edit: resized images

User avatar
Xylitol
Global Moderator
Posts: 1652
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Trojan Winlock / Ransom / ScreenLocker

Post by Xylitol » Tue Feb 01, 2011 1:30 pm

You do not have the required permissions to view the files attached to this post.
Last edited by EP_X0FF on Sat Feb 05, 2011 3:23 pm, edited 1 time in total.
Reason: edit: resized images

User avatar
Xylitol
Global Moderator
Posts: 1652
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Trojan Winlock / Ransom / ScreenLocker

Post by Xylitol » Wed Feb 02, 2011 1:13 pm

Ransom deliver, new locs:
hXXp://deviant-mordoboev.narod2.ru/xxx_video.avi.exe
hXXp://buipanno.narod.ru/xxx_video.exe

~ xxx_video.avi.exe+unpacked.zip
Image
http://www.virustotal.com/file-scan/rep ... 1296652359
https://www.virustotal.com/file-scan/re ... 1296651540

~ xxx_video.exe+unpacked.zip
Image
http://www.virustotal.com/file-scan/rep ... 1296651540
https://www.virustotal.com/file-scan/re ... 1296652248
You do not have the required permissions to view the files attached to this post.
Last edited by EP_X0FF on Sat Feb 05, 2011 3:26 pm, edited 1 time in total.
Reason: edit: resized images

User avatar
Xylitol
Global Moderator
Posts: 1652
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Trojan Winlock / Ransom / ScreenLocker

Post by Xylitol » Thu Feb 03, 2011 1:36 pm

Ransom deliver, locs:
hXXp://geolaykick.narod.ru/xxx_video.exe
hXXp://malinkixxx.ru/flash_player.exe

Image

http://www.virustotal.com/file-scan/rep ... 1296738196
http://www.virustotal.com/file-scan/rep ... 1296738267
You do not have the required permissions to view the files attached to this post.
Last edited by EP_X0FF on Sat Feb 05, 2011 3:28 pm, edited 1 time in total.
Reason: edit: resized images

User avatar
Xylitol
Global Moderator
Posts: 1652
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Trojan Winlock / Ransom / ScreenLocker

Post by Xylitol » Fri Feb 04, 2011 10:22 am

Ransom deliver, new locs:
hXXp://planka.mcdir.ru/flash_player.exe
hXXp://telki.mcdir.ru/flash_player.exe

According to virusTotal the first sample was full undetected: http://www.virustotal.com/file-scan/rep ... 1296811894

The second is: 2/43:
http://www.virustotal.com/file-scan/rep ... 1296811890

Image
Image
Image
You do not have the required permissions to view the files attached to this post.
Last edited by EP_X0FF on Sat Feb 05, 2011 3:30 pm, edited 1 time in total.
Reason: edit: resized images

User avatar
Xylitol
Global Moderator
Posts: 1652
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Trojan Winlock / Ransom / ScreenLocker

Post by Xylitol » Sat Feb 05, 2011 2:04 pm

new loc:
hXXp://milaya.mcdir.ru/flash_player.exe

Image
Code to unlock Windows: izvini
You do not have the required permissions to view the files attached to this post.
Last edited by EP_X0FF on Sat Feb 05, 2011 3:43 pm, edited 1 time in total.
Reason: edit: resized images

User avatar
EP_X0FF
Global Moderator
Posts: 4775
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Thread description

Post by EP_X0FF » Sat Feb 05, 2011 3:34 pm

This thread is result of Trojan Winlock / Ransom / ScreenLocker split.
Images with Winlocks resized to be more accurate.
Ring0 - the source of inspiration

User avatar
Xylitol
Global Moderator
Posts: 1652
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Trojan.Winlock - Pornoblocker

Post by Xylitol » Sat Feb 05, 2011 7:19 pm

new loc: hXXp://usarfor.narod.ru/xxx_video.exe
Code to unlock Windows: 70000004

basic unpacking schem of flash_player (not upx, the crap after):

Code: Select all

BP -> 00440766 - C3 - RETN ;Return to 003D08DD
(CALL EAX before normally for VirtualAlloc)
F9
Breaked
F7
BP -> 003D1044 - C3 - RETN ;Return to 7C91D370 (ntdll.ZwFreeVirtualMemory)
F9
Breaked
F7
BP -> 0055D472 - FFE0 - JMP EAX ;EAX=0048078C (xxx_vide.0048078C)
F9
Shift+F9 if problem
Breaked
F7 & dump
After fix the sections and the stuff.

Image
You do not have the required permissions to view the files attached to this post.

Post Reply