[Fabian Wosar]

Since someone asked before if the malware has some kind of unlock code. That appears to be the case. The unlock code of this variant is "783MN02KA6N1B37M90NUY7JHV". Once you put it in, the screen locker will decrypt the files and remove itself from the system. The code block at 0x0040423D handles the password processing. The unlock code is stored in an obfuscated format within the executable. Take a look at the string deobfuscation function at 0x004011A0 for more details which deobfuscates both the encryption key as well as the unlock code.

[Cody Johnston]

Since someone asked before if the malware has some kind of unlock code. That appears to be the case. The unlock code of this variant is "783MN02KA6N1B37M90NUY7JHV". Once you put it in, the screen locker will decrypt the files and remove itself from the system. The code block at 0x0040423D handles the password processing. The unlock code is stored in an obfuscated format within the executable. Take a look at the string deobfuscation function at 0x004011A0 for more details which deobfuscates both the encryption key as well as the unlock code.

Specifically when using the unlock code, a flag is set on the PC which the dropper checks for, and does not reinfect the system.

[Win32:Virut]

Found on Malwr: https://malwr.com/analysis/OTljYjQ5MDRm ... I2ZTJjMTg/

http://i.imgur.com/2TsQLvr.jpg

[Cody Johnston]

This is Harasom. You can find the working decrypter in this thread:

http://www.kernelmode.info/forum/viewto ... =10#p19696

[Fabian Wosar]

New Harasom variant with a Russian (?) lock screen this time. Encryption key is "4dKne87BNjeqlOmdkJHCDVlwir46983I". Decrypter has already been updated. The original sample as well as an unpacked version are attached.