[Win32:Virut]

Tobfy

MD5: ea8292721a34ca2f1831447868bbe91e

https://www.virustotal.com/file/21c0601 ... /analysis/

[thisisu]

I believe these are considered Reveton, but of course, correct me if I'm wrong.

One of them was running through HKU\..\Run
The other just in same directory

MD5: a3d8e17f2b046317c86c597038c4e00c
https://www.virustotal.com/file/6f1a2a3 ... /analysis/

MD5: 23a9921941e535db22b6e117cc6f0cdb
https://www.virustotal.com/file/81a3c80 ... /analysis/

Code: Select all

HKU\Owner\...\Run: [] C:\Users\Owner\dildptvfbm.exe [109056 2012-11-04] ()

2012-11-04 07:29 - 2012-11-04 07:29 - 00109056 ____A C:\Users\Owner\dildptvfbm.exe
2012-11-04 07:29 - 2012-11-04 07:29 - 00089600 ____A C:\Users\Owner\rojwxdnhuhitlfbrxmht.exe

[Kafeine]

MD5: a3d8e17f2b046317c86c597038c4e00c <-- We name it Tobfy (but really similar to Ysreef) https://www.botnets.fr/index.php/Tobfy - https://www.botnets.fr/index.php/Ysreef
It use same design than Urausy https://www.botnets.fr/index.php/Urausy
C&c : jgnmnokkl.sunnytime.info /get.php?id=10 <-- Up right now.
(have updated botnets.fr with that data. Thanks thisisu :)

[Win32:Virut]

Click to enlarge

hxxp://clexphoto300.com/web700/lending/EN.php
hxxp://clexphoto300.com/web700/
hxxp://clexphoto300.com/web700/lending/

https://www.virustotal.com/file/65da159 ... /analysis/

[Xylitol]

Another Multi Locker crap in attach (with unpacked version)

[Cody Johnston]

Here is another one.

Asking for $300 and the graphic does not look as good. Seems this one works with the audio drivers as well (recording audio?).

- Kills all safeboot keys
- Places startup key in HKCU/HKLM
- Takes about 15 mins to start up interface
- Connects to: 212.83.40.235

MD5: 54d2ddaa17f101acde32a072410b49c3

VT 13/43

https://www.virustotal.com/file/584b0b3 ... /analysis/



EDIT: PLAYS audio, not records. Leaves file named '1.mp3' in %userprofile%

[RageMachine]

Interesting one here. Appears to modify SVCHOST, but I couldn't get much further information on it or unpack it without it deleting itself.

[Quads]

Interesting one here. Appears to modify SVCHOST, but I couldn't get much further information on it or unpack it without it deleting itself.

I ran it on my system No VM or Sandbox etc in use, It took awhile to finally load the ransom UI and play the audio message. I also had the system32/spoolsv.exe file get removed.

Quads

[EP_X0FF]

Interesting one here. Appears to modify SVCHOST, but I couldn't get much further information on it or unpack it without it deleting itself.

Set break on CreateProcess. Unpacks fine. Same as TeamRocketOps posted.

Code: Select all

Adobe ARM   SOFTWARE\Microsoft\Windows\CurrentVersion\Run   "%s\ifgxpers.exe"   AdobeUpdaters   SOFTWARE\Microsoft\Windows\CurrentVersion   D:\xidpwooedd"  path    %s\ifgxpers.exe System\CurrentControlSet\Control\SafeBoot   SHDeleteKeyA    SHCopyKeyA  Shlwapi.dll System\CurrentControlSet\Control\SafeBoot\%s    net Network mini    Minimal Error HttpSendRequest = %d
    Error HttpOpenReques = %d
 GET Error InternetConnect = %d
    Error InternetOpen = %d
   %s\sound.mp3    %s\1.jpg    URLDownloadToFileA  Urlmon.dll  209.85.229.104      RtlDecodePointer    ntdll   ZwAllocateVirtualMemory close myFile wait   play myFile wait    SetAudio myFile volume to 1000000   mciSendStringA  Winmm.dll   open  "%s" type mpegvideo alias myFile  getunlock.php   picture.php http://62.109.28.231/gtx3d16bv3/upload/img.jpg  http://62.109.28.231/gtx3d16bv3/upload/mp3.mp3  %s\1.bmp    Edit    Button  Pay MoneyPak    You have 72 hours to pay the fine!  Wait! Your request is processed within 24 hours.    picture.php?pin= C:\report.txt 

mp3 + jpg in attach

Code: Select all

G:\WORK\WORK_PECEPB\Work_2012 Private\Project L-0-ck_ER\NEW Extern\inject\injc\Release\injc.pdb 

Russian origin.

[R136a1]

Description: http://www.microsoft.com/security/porta ... 32/Tobfy.S

Sample: https://www.virustotal.com/en/file/ecbf ... /analysis/

URLs to Images:
ht*p://194.28.173.218/neo27cah10/upload/img.jpg (US)
ht*p://194.28.173.218/78u8fzo4sd/upload/img.jpg (MX)
...