A forum for reverse engineering, OS internals and malware analysis 

Trojan WinAD (alias Ransom.ER, Winlock, Win32.Timer)

Forum for analysis and discussion about malware.

Trojan WinAD (alias Ransom.ER, Winlock, Win32.Timer)

 #3686  by EP_X0FF
 Wed Nov 24, 2010 11:09 am
This thread contains samples that belongs to same group and distributing as "porno player". Locker named winAD, because of about box resource which present in both types.

It is BlueTrash

Image

and Homoblocker

Image

Unblock codes and tel numbers stored inside executables. They do not use cryptor but Winlock code constantly morphing trying to break antivirus signatures.

EDIT: 05 July 2011

Starting from the May 2011 WinAD evolved in Porno-Rolik ransomware. See page 9.

Image

Overall working scheme still the same - hardcoded unblock code, constant updates to break AV signatures detection. With porno-rolik version authors started using Mystic Compressor / VBCrypt.

/*original message below*/

Dropper packed with UPX.
Extracts payload Winlock executable to Documents and Settings\UserName\[Digits]\[Digits].exe

Runs through HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit .

Unblock key EYE OF NEWT, stored as UNICODE.

Image

In attach Winlock executable extracted from dropper.
http://www.virustotal.com/file-scan/rep ... 1290596918
Attachments
pass: malware
(38.13 KiB) Downloaded 141 times
Last edited by EP_X0FF on Sun Sep 18, 2011 12:20 am, edited 11 times in total. Reason: edit

Re: Trojan Winlock / Ransom / ScreenLocker

 #4025  by EP_X0FF
 Thu Dec 16, 2010 3:00 pm
Dropper installs stuff and immediately reboots victim computer. After reboot system locked by payload.

Unblock key "SORRY" (w/o quotes)

Unpacked stuff in attach.

http://www.virustotal.com/file-scan/rep ... 1292510879
http://www.virustotal.com/file-scan/rep ... 1292511246

note: 101.dll is actual Winlock executable.

Image
Attachments
pass: malware
(66.49 KiB) Downloaded 100 times

Re: Trojan Winlock / Ransom / ScreenLocker

 #4125  by nullptr
 Fri Dec 24, 2010 5:50 am
EP_X0FF wrote: kiddies are very productive, so probably new rebuild with new key will be released maybe even today
Maybe even find a new packer, though FSG was a giant leap forward. lol
Code: Select all
00401382   PUSH junk.0040402C              ; String2 = "90650231"
00401387   PUSH junk.00407088              ; String1 = "C"
0040138C   CALL <JMP.&kernel32.lstrcmp>    ; lstrcmpA
*edit*

Another pornoplayer release.
Code: Select all
00401AA0                 lea     edx, [ebp+psz2]
00401AA6                 push    edx               ; psz2
00401AA7                 push    offset psz1       ; "WARCRAFT"
00401AAC                 call    ebx               ; StrCmpW
Attachments
pass : malware
(39.05 KiB) Downloaded 83 times

Re: Trojan Winlock / Ransom / ScreenLocker

 #4127  by Jaxryley
 Fri Dec 24, 2010 12:24 pm
Hi nullptr, if I run your sample via Sandboxie it doesn't seem to do anything.

Exploring the sandbox I find a dropped 2503326475.exe which if run sandboxed then locks the screen up.
2503326475.exe - 1/43 - NOD32 - a variant of Win32/LockScreen.AAJ - MD5 : 043ede36f50bf967680bf7a755e1d696
http://www.virustotal.com/file-scan/rep ... 1293193376
Pass:
malware
(25.67 KiB) Downloaded 85 times

Re: Trojan Winlock / Ransom / ScreenLocker

 #4128  by nullptr
 Fri Dec 24, 2010 1:41 pm
The pornoplayer sample just drops the binary that is embedded in its resources, writes the userinit entry so it starts with windows and then reboots the computer.
So it's likely that Sandboxie now blocks any ExitWindowsEx(...) call.

Re: Trojan Winlock / Ransom / ScreenLocker

 #4139  by Buster_BSA
 Sun Dec 26, 2010 11:19 am
nullptr wrote:The pornoplayer sample just drops the binary that is embedded in its resources, writes the userinit entry so it starts with windows and then reboots the computer.
So it's likely that Sandboxie now blocks any ExitWindowsEx(...) call.
That´s right. Sandboxie blocks any attempt of reboot or shut down.

Re: Trojan Winlock / Ransom / ScreenLocker

 #4147  by Xylitol
 Mon Dec 27, 2010 11:04 am
i work alot on pornoplayer and the reboot feature his new and not obly that now there is also two way for activate it..

like this one:
Image

and the old method in a old sample: http://www.youtube.com/watch?v=KGEeHsX8emY

my pornoplayer archive: http://xylibox.blogspot.com/2010/12/tro ... xe_24.html
(29 Nov 2k10) ~ (5 Dec 2k10) ~ (14 Dec 2k10) ~ (17 Dec 2k10) ~ (23 Dec 2k10) ~ (23 Dec 2k10) ~ (24 Dec 2k10)

Re: Trojan Winlock / Ransom / ScreenLocker

 #4150  by EP_X0FF
 Mon Dec 27, 2010 3:22 pm
Thanks for info Xylitol.

Here is another locker from different kiddies.

Image

101 is actual Winlock file.

Source hxxp://goodpornonline.info/wd5o6os5pt8bd5r99ehj4j2eqeev8ky2/pornoplayer.exe (could be updates)

Unblock key is DIGGER

Image

http://www.virustotal.com/file-scan/rep ... 1293463061
http://www.virustotal.com/file-scan/rep ... 1293462878
Attachments
pass: malware
(72.51 KiB) Downloaded 88 times

Re: Trojan Winlock / Ransom / ScreenLocker

 #4152  by Xylitol
 Mon Dec 27, 2010 6:08 pm
yeah i've see this also today
here is the passwords history about the pornoplayer:
"SORRY" - "WARCRAFT" and now "DIGGER"
and there is a new "Lock Em All" variante (not analyzed yet but that seem the same packer in vb)
edit: hmm nop not possible there is 3 different custom packer on it...
Last edited by Xylitol on Mon Dec 27, 2010 6:33 pm, edited 1 time in total.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 17
 Return to “Malware”