[Xylitol]

hey EP_X0FF can you check this one ?
i dont found the unlock key...
it's my unpacked sample.

[EP_X0FF]

This one aggressive. UPX + custom cryptor, written on Delphi. Completely locks screen and drops second trojan additionally (it is encrypted in Delphi binary resources).

Runs through HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell as C:\Program Files\Common Files\qip\svhost.exe

to unblock type 12345 (in all three input fields) two times, ignore winlock stupid messages.

https://www.virustotal.com/file-scan/re ... 1293610882
https://www.virustotal.com/file-scan/re ... 1293610339

[nullptr]

Another one written in Delphi. Someone got a new crypter - 4/42.
http://www.virustotal.com/file-scan/rep ... 1293783120
original + unpacked

[Jaxryley]

Hi nullptr, any idea why xxx_video_41884.avi.exe drops 90 or so files with no extension each seeming to contain two lines of text when opened with notepad?

[Jaxryley]

!http://pornosun.woodpeker.uni.cc/files/ ... eo_246.avi

xxx_video_60696.avi.exe - 7/43 - MD5 : b7af71b32659be81041e9e0af88b7913

xxx video and Droppers.rar

Pass:
infected
(75.46 KiB) Downloaded 60 times

[Xylitol]

hello, new winlock
https://www.virustotal.com/file-scan/re ... 1294795567

[EP_X0FF]

Very funny Winlock, written on dot net.



Distributes through fake Kaspersky site (hxxp://www.kaspepsky.ru). Very detailed copy.

Download source hxxp://kaspepsky.ru/downloads/internetsecurity.updater.exe



Autorun through HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell as c:\windows\system32\explorerr.exe

Unblock is kinda problematic because of

Code: Select all

  .method public void Ok_Click(class System.Object a, class System.Object b)
  {
    ret
  }

so Alt+F4

[markusg]

kaspepsky.ru/downloads/
is open directory

[EP_X0FF]

Yes I've noticed that. There also another winlock of the same type :)

[Xylitol]

some new way to store unblock key and several attempts to fool reversers.

not really new (see old samples i've attached)
http://www.youtube.com/watch?v=qf5x1Pp8oz8


authorized chars.

edit: hahaha