A forum for reverse engineering, OS internals and malware analysis 

Winlocker.VB6.Blacksod

Forum for analysis and discussion about malware.

Winlocker.VB6.Blacksod

 #28900  by slipstream-
 Sun Jul 17, 2016 9:13 pm
Indian winlocker trash, fakes bsod or product key screen, tries to get user to call fake tech support.

Some have a nice button to run cmd.exe, some do not.

All are linked via dropper method (advanced installer), or via callback URL (to notify successful install only).

I called this family "VB6.blacksod", because one of the earlier samples I saw had a form name called "blacksod", and they're all coded in VB6.

ErrorFileRemover.exe: advanced installer dropper, contacts hxxp://recoverpcerror.com/ar/5430.html (links to license key.exe), and hxxp://itsupport24by7.com/online.html (browlock in root, in utf-16le encoding with BOM, probably as a lame obfuscation attempt). Number to call: +1(800)536-1585 -- fakes a BSOD and plays lame text-to-speech wav in broken english to scare user.

VideoCodecX.exe: advanced installer dropper, contacts hxxp://gmusicplayer.com/0678.html and hxxp://recoverpcerror.com/me/0678.html, has nice cmd.exe button, number to call: 1-844-307-0678

license key.exe: Smart Install Maker dropper, contacts hxxp://recoverpcerror.com/me/active/3313.html, has nice cmd.exe button, number to call: 1-877-256-3313
Attachments
pass: infected
(2.86 MiB) Downloaded 98 times

Re: Winlocker.VB6.Blacksod

 #28926  by slipstream-
 Fri Jul 22, 2016 4:17 pm
New blacksod.

Advanced installer dropper, contacts hxxp://gmusicplayer.com/july0678.html and hxxp://recoverpcerror.com/me/july0678.html, has nice cmd.exe button, number to call: 1-844-307-0678

Note same number as earlier instance, but different callback URLs.
Attachments
infected
(1.13 MiB) Downloaded 92 times

Re: Winlocker.VB6.Blacksod

 #28973  by slipstream-
 Wed Aug 03, 2016 8:19 pm
Next blacksod.

Advanced installer dropper. Contacts hxxp://recoverpcerror.com/ar/pro/5490.html and has nice cmd.exe button (you need to click in the first form to get to it). Number to call: 1-866-933-5490
Attachments
infected
(1.21 MiB) Downloaded 90 times

Re: Winlocker.VB6.Blacksod

 #28974  by patriq
 Wed Aug 03, 2016 9:07 pm
When I google "1-866-933-5490"
This is the first result - hxxp://www.tekexpert.net/contact-us.html
Possibly related, looks like a scam tech support page.

Samples that contact recoverpcerror.com (just visit the index and a sample downloads)

https://www.virustotal.com/en/file/c3ed ... /analysis/
https://www.virustotal.com/en/file/c383 ... /analysis/
https://www.virustotal.com/en/file/c4f0 ... /analysis/
https://www.virustotal.com/en/file/a6de ... /analysis/

New phone number on recoverpcerror.com = 1-844-459-8882
 Return to “Malware”