A forum for reverse engineering, OS internals and malware analysis 

Trojan.MBRlock

Forum for analysis and discussion about malware.

Re: Trojan.MBRlock

 #7079  by kmd
 Tue Jul 05, 2011 4:59 am
EP_X0FF wrote:I'm wondering now, how these script-kiddies managed to write their own mbr code while everything else in all lockers are piece of sh*t coding example (however this does not mean that this mbr code is perfect of course).
i think i know

from "Hacker" magazine http://www.xakep.ru/magazine/xa/079/114/6.asp

article from well known writter K.Kaspersky who sell itself into McAfee
he helped these scriptkiddies very well, he can be proud.

Re: Trojan.MBRlock

 #7090  by EP_X0FF
 Tue Jul 05, 2011 4:44 pm
The same MBRlock type from different server.

Unblock code: 67334561

In attach dropper, fully unpacked dropper (all crypter data removed, 61Kb -> 9 Kb) and MBR.

Screenshot will be the same.

Source hxxp://limboclitor.ru/xxxvideo.avi.exe
Attachments
pass: malware
(32.12 KiB) Downloaded 119 times

Re: Trojan.MBRlock

 #7168  by EP_X0FF
 Sat Jul 09, 2011 4:01 pm
MBRlock of the same type. Screenshot the same.

Looks like they spawns new copy every day.

Tel to call:
89645619483
89645098429
89645098377
89645098176
89645098067
89645098055
89645097965
89645097898
89645097685
89645097585
Unblock code: G610481

Source

hxxp://lusindasexxis.ru/xxxvideo.avi.exe
hxxp://kamasssutra.ru/xxxvideo.avi.exe
hxxp://matherfukker.ru/xxxvideo.avi.exe
hxxp://ulimutixxx.ru/xxxvideo.avi.exe

Dropper + unpacked in attach.
Attachments
pass: malware
(31.63 KiB) Downloaded 92 times

Re: Trojan.MBRlock

 #7172  by EP_X0FF
 Sat Jul 09, 2011 5:35 pm
While scanning for other MBRlock locations I've found about 50 MBRlock site clones, almost all currently suspended or not exists. Previously all they distributed MBRlock as payload.

Re: Trojan.MBRlock

 #7178  by EP_X0FF
 Sun Jul 10, 2011 6:23 am
New domains.

hxxp://antirozzza.ru/xxxvideo.avi.exe
hxxp://bazapornoflv.ru/xxxvideo.avi.exe

Unblock code: H701630

Re: Trojan.MBRlock

 #7193  by mc0blck
 Sun Jul 10, 2011 9:02 pm
New link:
hxxp://LUSINDASEXXIS.ru/xxxvideo.avi.exe
Last edited by a_d_13 on Sun Jul 10, 2011 9:13 pm, edited 1 time in total. Reason: Deactivated link.

Re: Trojan.MBRlock

 #7203  by rkhunter
 Mon Jul 11, 2011 9:34 am
I was surprised when i saw that MSE don't check MBR and boot sectors. Is it true? It really is useless from MBR/boot-start malware?

Re: Trojan.MBRlock

 #7205  by EP_X0FF
 Mon Jul 11, 2011 10:48 am
rkhunter wrote:I was surprised when i saw that MSE don't check MBR and boot sectors. Is it true? It really is useless from MBR/boot-start malware?
That's actually not true.

Image

Image


However in most cases (and where it is possible/available) it is recommended to use recovery console.

Re: Trojan.MBRlock

 #7206  by rkhunter
 Mon Jul 11, 2011 11:04 am
Ok, But i test MSE on detection/remove Mayachok.2 and not detect it with last update. Actually, I making quick scan.

Re: Trojan.MBRlock

 #7207  by EP_X0FF
 Mon Jul 11, 2011 11:07 am
Current MSE engine does not providing 100% detection and 100% curing for all known and newest bootkits like Cidox.
Especially when they are not so widely distributed.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 10
 Return to “Malware”