A forum for reverse engineering, OS internals and malware analysis 

Trojan.Winlock - Lock Em All

Forum for analysis and discussion about malware.

Re: Trojan Winlock / Ransom / ScreenLocker

 #4503  by EP_X0FF
 Mon Jan 17, 2011 7:53 am
Well
hxxp://susannafdegtinshr.narod2.ru/
hxxp://andreyshchpburyakovt.narod2.ru/
hxxp://albinapdvorobevyaa.narod2.ru/
hxxp://semenstnovikovzhkh.narod2.ru/
they all unnoticed in my yesterday post. Seems to be they newly spawned or search bots weren't able to index them yesterday.
I will create a simple list with Lock Em All sites in the first post of this thread.

edit:

Lock Em All

http://www.virustotal.com/file-scan/rep ... 1295252983

Tel to call
8-903-101-39-03
8-963-636-72-89
8-903-531-49-79
8-965-159-87-96
8-903-532-07-10
8-965-265-90-27
8-965-159-73-60
8-965-397-54-58
8-965-375-21-51
8-965-211-04-95
8-965-368-62-56
8-963-725-38-60
8-965-375-13-79
8-965-375-24-70
8-965-375-04-17
8-903-103-25-64
8-962-947-53-83
8-965-375-18-44
8-963-724-49-38
Unblock key 90855341

Source hxxp://alevtinaulepikhovkhg.narod2.ru/xxx_video.exe

added to list in first post of the thread.
Last edited by EP_X0FF on Mon Jan 17, 2011 8:36 am, edited 1 time in total. Reason: edit

Re: Trojan.Winlock - Lock Em All

 #4681  by EP_X0FF
 Mon Jan 24, 2011 4:52 am
http://www.virustotal.com/file-scan/rep ... 1295283969

Tel to call
8-963-661-63-96
8-963-661-63-21
8-963-661-64-53
8-963-661-64-89
8-963-661-66-26
8-963-661-68-98
8-963-661-62-78
8-963-661-70-50
8-965-378-27-32
8-965-378-29-06
8-965-378-29-19
8-965-378-09-51
8-965-378-09-08
8-965-378-08-04
8-963-661-56-08
8-965-378-07-73
8-963-661-85-59
8-965-378-29-54
8-965-378-29-50
8-967-032-07-20
8-965-357-97-34
8-965-357-98-38
8-965-357-97-23
8-965-357-94-54
8-965-357-92-84
8-967-151-49-46
8-967-151-52-76
8-963-662-83-82
8-963-662-83-90
8-963-663-12-27
8-963-663-12-43
8-963-663-14-08
8-963-661-50-70
8-963-661-50-78
8-963-661-50-84
8-963-661-52-28
8-963-661-52-80
Unblock code 3790158

Source hxxp://anastasiyayblobanrv.narod2.ru/xxx_video.exe [added to list]

http://www.virustotal.com/file-scan/rep ... 1295284704

Tel to call
8-903-709-38-37
8-962-972-41-38
8-962-972-25-90
8-962-972-25-58
8-962-971-90-08
8-965-377-11-52
8-965-376-65-98
8-965-377-10-05
8-965-376-70-20
8-965-376-60-73
8-965-376-45-00
8-965-376-44-45
8-965-376-31-61
8-965-376-89-38
8-965-376-88-34
8-965-376-86-74
Unblock code 73050487

Source hxxp://vyacheslavushchglobazh.narod2.ru/xxx_video.exe [added to list]


http://www.virustotal.com/file-scan/rep ... 1295335042

Tel to call
8-965-329-21-38
8-965-296-41-93
8-962-950-01-98
8-903-554-49-13
8-967-219-65-87
8-967-219-65-75
8-965-291-59-40
8-967-219-65-97
8-965-291-57-79
8-967-219-65-68
8-965-190-36-38
8-965-375-95-60
8-965-291-58-62
8-965-190-39-91
8-962-973-95-07
8-962-950-16-68
8-962-966-10-56
8-967-183-12-52
8-965-296-41-68
8-965-291-58-92
8-962-973-79-80
8-903-574-49-68
8-965-296-41-90
8-967-219-65-74
8-962-973-78-07
8-962-951-07-46
8-967-219-65-73
8-965-228-19-80
8-962-973-45-18
8-962-932-31-80
8-965-291-56-60
8-962-966-07-12
8-965-296-42-18
8-965-329-20-56
8-962-950-17-73
8-962-950-35-91
8-965-178-63-79
8-962-966-09-27
8-965-291-56-95
8-962-973-97-67
Unblock key 93020489

Source hxxp://timurzpkalmykovmi.narod2.ru/xxx_video.exe [added to list]


http://www.virustotal.com/file-scan/rep ... 1295429186

Tel to call
8-909-151-13-94
8-909-151-13-78
8-909-151-13-05
8-909-151-12-64
8-909-151-30-20
8-909-151-30-23
8-909-151-30-40
8-909-151-30-42
8-909-151-30-46
8-909-151-30-52
8-909-151-30-62
8-909-151-30-66
8-909-151-30-84
8-909-151-30-89
8-909-151-31-02
8-909-151-31-09
8-909-151-31-20
8-909-151-31-38
8-909-151-31-50
8-909-151-31-60
8-909-151-31-61
8-909-151-31-62
8-909-151-32-09
8-909-151-32-27
8-909-151-32-31
8-909-151-32-44
8-909-151-32-62
8-909-151-32-50
8-909-151-32-52
8-909-151-14-19
Unblock key 8095147

Source hxxp://margaritakhnbagroviyu.narod2.ru/xxx_video.exe [added to list]

edit:

http://www.virustotal.com/file-scan/rep ... 1295446072
8-965-291-06-62
8-968-823-59-09
8-968-823-57-07
8-964-576-98-30
8-965-328-18-22
8-965-328-17-68
8-909-622-14-40
8-909-621-93-19
8-909-621-93-70
8-909-621-94-06
8-909-621-94-18
8-909-621-97-30
8-909-621-97-43
8-909-622-15-30
8-909-622-14-82
8-909-621-94-38
8-909-621-95-04
8-909-621-95-21
8-909-621-95-25
8-909-622-14-74
8-965-378-38-39
8-963-662-92-90
8-963-662-91-01
8-963-662-88-97
8-963-661-71-58
8-963-662-88-96
8-963-661-70-98
8-965-378-40-08
8-963-663-14-83
Unblock code 3796054

Source hxxp://alisaudbaltabevbl.narod2.ru/xxx_video.exe [added to list]

http://www.virustotal.com/file-scan/rep ... 1295511325

Tel to call
8-909-155-83-85
8-909-155-82-57
8-909-155-82-56
8-909-155-82-52
8-909-155-86-96
8-909-155-87-23
8-909-155-86-77
8-909-156-13-74
8-909-156-13-09
8-909-156-12-99
8-909-156-12-13
8-909-156-11-83
8-909-156-11-35
8-909-156-10-78
8-909-156-10-59
8-909-156-11-62
8-909-156-10-07
8-909-156-11-60
8-909-156-10-06
8-909-156-60-57
8-909-156-60-44
8-909-156-59-89
8-909-156-66-61
8-909-156-66-79
8-909-156-66-83
8-909-156-66-84
8-909-156-67-16
8-909-156-67-18
8-909-156-51-32
8-909-156-51-24
8-909-156-51-19
8-909-156-67-21
8-909-156-60-95
8-909-156-46-92
8-909-156-47-98
8-909-156-48-08
8-909-156-48-13
8-909-156-48-85
8-909-156-54-73
8-909-156-55-05
8-909-156-55-21
Unblock code 80348741

Source hxxp://stellappkolomiytsevyo.narod2.ru/xxx_video.exe [added to list]

http://www.virustotal.com/file-scan/rep ... 1295792203
http://www.virustotal.com/file-scan/rep ... 1295792810

Tel to call
8-909-157-83-58
8-909-151-15-54
8-909-151-16-03
8-909-151-16-06
8-909-151-12-43
8-909-151-12-05
8-909-151-17-18
8-909-151-17-57
8-909-156-55-83
8-909-156-55-30
8-909-157-34-18
8-909-151-15-37
8-909-156-55-81
Unblock code 30899641

Source hxxp://oksanaerlashkinchb.narod2.ru/xxx_video.exe [added to list]
Source hxxp://leonidyueenotineyu.narod2.ru/xxx_video.exe [added to list]
Source hxxp://raisakykapitonovsshch.narod2.ru/xxx_video.exe [added to list]

edit

https://www.virustotal.com/file-scan/re ... 1295840428

Tel to call
8-909-151-33-12
8-909-151-32-97
8-909-151-25-95
8-909-151-19-04
8-909-151-18-79
8-909-157-72-35
8-909-157-71-45
8-909-151-18-21
8-909-151-18-16
8-909-151-18-08
8-909-151-17-88
8-909-151-17-69
8-909-151-28-35
8-909-151-27-96
8-909-151-26-61
Unblock key 8074569

Source hxxp://veronikauemagazinerga.narod2.ru/xxx_video.exe [added to list]
Source hxxp://elzachabalakhnovgshch.narod2.ru/xxx_video.exe [added to list]

http://www.virustotal.com/file-scan/rep ... 1295865835

Tel to call
8-965-376-98-13
8-903-672-63-26
8-965-377-04-06
8-965-377-05-81
8-965-377-09-80
8-903-672-63-31
8-962-972-40-26
8-965-377-03-73
8-965-376-61-45
8-903-709-38-34
8-965-388-99-50
8-962-946-23-36
8-962-932-50-09
8-962-946-23-17
8-962-932-50-13
8-962-932-50-11
8-962-946-23-43
8-964-776-64-94
8-964-776-67-00
8-965-312-98-43
8-964-780-75-19
8-964-780-75-17
8-962-941-11-82
8-962-932-63-97
8-903-202-35-87
8-962-932-63-96
8-963-630-88-49
8-963-630-88-47
8-965-376-32-14
8-965-376-37-35
8-903-536-95-56
8-903-536-96-01
8-903-536-94-81
Unblock key 55208741

Source hxxp://evgeniyayaiardankinyae.narod2.ru/xxx_video.exe [added to list]
Source hxxp://stepanyggorokhovshchk.narod2.ru/xxx_video.exe [added to list]

http://www.virustotal.com/file-scan/rep ... 1295888818

Tel to call
8-965-376-98-13
8-903-672-63-26
8-965-377-04-06
8-965-377-05-81
8-965-377-09-80
8-903-672-63-31
8-962-972-40-26
8-965-377-03-73
8-965-376-61-45
8-903-709-38-34
8-965-388-99-50
8-962-946-23-36
8-962-932-50-09
8-962-946-23-17
8-962-932-50-13
8-962-932-50-11
8-962-946-23-43
8-964-776-64-94
8-964-776-67-00
8-965-312-98-43
8-964-780-75-19
8-964-780-75-17
8-962-941-11-82
8-962-932-63-97
8-903-202-35-87
8-962-932-63-96
8-963-630-88-49
8-963-630-88-47
8-965-376-32-14
8-965-376-37-35
8-903-536-95-56
8-903-536-96-01
8-903-536-94-81
Unblock code 55208741

Source hxxp://adolftsboyarinove.narod2.ru/xxx_video.exe [added to list]

http://www.virustotal.com/file-scan/rep ... 1295953622
https://www.virustotal.com/url-scan/rep ... 1295950274

Tel to call
8-909-157-81-02
8-909-157-81-07
8-909-157-81-17
8-909-157-81-32
8-909-157-81-40
8-909-650-42-60
8-906-096-66-42
8-909-650-38-98
8-909-650-41-42
8-909-650-41-37
8-909-650-41-33
8-909-650-41-31
8-909-650-41-22
8-909-650-41-00
8-909-650-40-77
8-909-650-40-53
8-909-650-40-39
8-909-650-40-28
8-909-650-40-21
8-909-650-40-14
8-909-650-40-05
8-909-650-39-95
8-909-650-39-71
8-909-650-39-65
8-906-096-72-42
8-906-096-72-19
8-906-096-72-77
8-906-096-73-00
8-906-096-73-38
8-906-096-73-29
8-906-096-73-45
Unblock code 80079521

Source hxxp://daniilgrkrutoyzu.narod2.ru/xxx_video.exe [added to list]
Source hxxp://varvaraishkandinskiyf.narod2.ru/xxx_video.exe [added to list]
Last edited by EP_X0FF on Wed Jan 26, 2011 1:11 pm, edited 3 times in total. Reason: merged posts

Re: Trojan.Winlock - Lock Em All

 #4719  by EP_X0FF
 Tue Jan 25, 2011 12:48 pm
In attach todays Lock'Em'All.

UPX and VB cryptor was totally removed and original file fully reconstructed.
It is fully workable and reverse friendly.

VT entertainment results
https://www.virustotal.com/file-scan/re ... 1295959569
Attachments
pass: malware
(5.22 KiB) Downloaded 55 times

Re: Trojan.Winlock - Lock Em All

 #4739  by EP_X0FF
 Wed Jan 26, 2011 5:34 am
Lock Em All disappeared from newly spawned drop zones.

Instead they giving Delphi + PECompact crapware Pornozud.

Image

http://www.virustotal.com/file-scan/rep ... 1296020525
http://www.virustotal.com/file-scan/rep ... 1296018744

Tel to call
89091577310
89091577322
89091577344
89091577392
89091577401
89091578322
89091578327
89091578341
89091578639
89091512973
89091512978
89091512994
Unblock codes

80640897
886333

Source hxxp://agnessatshchzubovdf.narod2.ru/xxx_video.exe
Source hxxp://innokentiyolbarentsevt.narod2.ru/xxx_video.exe

original + fully unpacked in attach
Attachments
unpacked, pass: malware
(208.72 KiB) Downloaded 66 times
pass: malware
(194 KiB) Downloaded 61 times

Re: Trojan.Winlock - Lock Em All

 #4744  by EP_X0FF
 Wed Jan 26, 2011 1:06 pm
Lock Em All is back.

Tel to call

http://www.virustotal.com/file-scan/rep ... 1296046738
8-909-157-82-72
8-909-157-82-81
8-909-157-82-99
8-909-157-83-13
8-909-151-32-65
8-909-151-32-68
Unblock code 8059547

Source hxxp://lyudmilazhmkosomovnn.narod2.ru/xxx_video.exe [added to list]

Re: Trojan Winlock / Ransom / ScreenLocker

 #5973  by Xylitol
 Mon Apr 18, 2011 5:24 pm
КОМПЬЮТЕР ЗАБЛОКИРОВАН!
Image

https://www.virustotal.com/file-scan/re ... 1303082017

Image

Image

Image

Image

Image

Image

Image

Image

Image
If someone find a way for unlock that..
Attachments
See archive comment for password
(17.54 KiB) Downloaded 66 times

Re: Trojan Winlock / Ransom / ScreenLocker

 #7059  by Xylitol
 Mon Jul 04, 2011 12:09 pm
3 boringlock

КОМПЬЮТЕР ЗАБЛОКИРОВАН!

hxxp://saterdest.client.jp/xxx_video.exe
hxxp://liaschedaf.client.jp/xxx_video.exe
hxxp://terdesa.client.jp/xxx_video.exe
Attachments
pwd: xylibox
(69.8 KiB) Downloaded 57 times

Re: Trojan Winlock / Ransom / ScreenLocker

 #7065  by EP_X0FF
 Mon Jul 04, 2011 3:52 pm
Xylitol wrote:3 boringlock

КОМПЬЮТЕР ЗАБЛОКИРОВАН!

hxxp://saterdest.client.jp/xxx_video.exe
hxxp://liaschedaf.client.jp/xxx_video.exe
hxxp://terdesa.client.jp/xxx_video.exe
same crap here

hxxp://visadchi.client.jp/xxx_video.exe
hxxp://neutricfer.client.jp/xxx_video.exe
hxxp://idabcoun.client.jp/xxx_video.exe

i believe there more "Porno TV" clones in range 125.100.100.xx

hxxp://northvalgikacen.narod.ru/xxx_video.exe
hxxp://glitiheslynchea.narod.ru/xxx_video.exe
hxxp://nievialansscharen.narod.ru/xxx_video.exe
hxxp://brazunengavi.narod.ru/xxx_video.exe

Some closer look on this crap. Likely this is version 2 of Lock'Em'All.

Image

It kills TaskManager and Userinit by replacing them with dropper copy. DllCache also updated to include trojan executable instead of original files.

Stuff is VB crypted and then packed with UPX. Original executable written on C++ in Visual Studio 2010. Just like it predecessor Lock'Em'All.

There is no unblock code by design. Below is full code of DialogFunc of this Winlock type.
Code: Select all
signed int __stdcall DialogFunc(HWND hwnd, UINT uMsg, int wParam, int lParam)
{
  signed int result; 

  if ( uMsg > 0x110 )
  {
    if ( uMsg == 0x111 )                        // WM_COMMAND
    {
      if ( wParam != 1002 )                     // id of button (ButtonClick handler)
        return 0;
      SetDlgItemTextA(hwnd, 1001, "Введен неверный код");// "Incorrect code" message, 1001 id of Edit control
    }
    else
    {
      if ( uMsg != 0x112 && uMsg != 0x204 )     // WM_SYSCOMMAND or WM_RBUTTONDOWN
        return 0;
    }
    return 1;
  }
  if ( uMsg == 0x110 )                          // WM_INITDIALOG
  {
    hWnd = GetDesktopWindow();
    RegisterHotKey(hwnd, 0, 1u, 9u);
    hThread = (int)CreateThread(0, 0, InvalidateRectRoutine, hwnd, 0, (LPDWORD)&uMsg);
    return 1;
  }
  if ( uMsg == 1 )                              // WM_CREATE
    return 0;
  if ( uMsg == 0xF )                            // WM_PAINT
  {
    GetWindowRect(hWnd, &Rect);
    SetWindowPos(hwnd, HWND_MESSAGE|0x2, (Rect.right - 800) / 2, (Rect.bottom - 600) / 2, 800, 600, 0x40u);
    RedrawLockerWindow(hwnd);
    result = 1;
  }
  else
  {
    result = 0;
  }
  return result;
}
In attach winlock (xxx_video.exe) and unpacked winlock.

First post updated to include table of active locker locations (currently there are not so many links).
Attachments
pass: malware
(53.08 KiB) Downloaded 78 times
Last edited by EP_X0FF on Mon Jul 25, 2011 7:48 am, edited 3 times in total. Reason: merged my several posts in one
 Return to “Malware”