A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #3801  by EP_X0FF
 Wed Dec 01, 2010 2:06 pm
Yes. It drops by Oficla loader.

Greets coming to Meriadoc for locating proper Oficla :)

For 773921 unblock key is aaaaaaciip, number is hardcoded.

http://www.virustotal.com/file-scan/rep ... 1291214716
http://www.virustotal.com/file-scan/rep ... 1291214741
boot code extracted from dropper, pass: malware
(762 Bytes) Downloaded 276 times
pass: malware
(22.18 KiB) Downloaded 352 times
 #3817  by hot_UNP
 Thu Dec 02, 2010 10:53 am
Thank you for sharing samples.
Hard disk is not encrypted and Original MBR backup in (Physical Disk) 0x800h (4th Sector)
 #3822  by wealllbe20
 Thu Dec 02, 2010 3:26 pm
Here latley, My users have been just getting a black screen showing up after they enter their bios passwords..

tried safe mode-> recovery console that was installed on their hard drive, always a black screen.

Have to use some type of mbr restore tool and whalla... everything works fine after we rebuild a new mbr.

I think it has something to do with this malware, or a crap variant of it.

every user has been windows xp sp3.

Keep an eye out.
 #3840  by Tesk
 Sat Dec 04, 2010 4:30 pm
My 2 cents - this is only a "test" before we see a malware which really encrypts the whole harddrive and the keys which are being generated are being generated a very complicated way and so on.
 #3848  by GamingMasteR
 Sun Dec 05, 2010 4:19 pm
encrypts the whole harddrive
I don't think a full HDD encryption will be completed during this *long time* encryption process, something will BSOD .
  • 1
  • 2
  • 3
  • 4
  • 5
  • 10