KernelMode.info

hey EP_X0FF can you check this one ?
i dont found the unlock key...
it's my unpacked sample.

This one aggressive. UPX + custom cryptor, written on Delphi. Completely locks screen and drops second trojan additionally (it is encrypted in Delphi binary resources).

Runs through HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell as C:\Program Files\Common Files\qip\svhost.exe

to unblock type 12345 (in all three input fields) two times, ignore winlock stupid messages.

https://www.virustotal.com/file-scan/re ... 1293610882
https://www.virustotal.com/file-scan/re ... 1293610339

Another one written in Delphi. Someone got a new crypter - 4/42.
http://www.virustotal.com/file-scan/rep ... 1293783120
original + unpacked

Hi nullptr, any idea why xxx_video_41884.avi.exe drops 90 or so files with no extension each seeming to contain two lines of text when opened with notepad?

!http://pornosun.woodpeker.uni.cc/files/ ... eo_246.avi

xxx_video_60696.avi.exe - 7/43 - MD5 : b7af71b32659be81041e9e0af88b7913

hello, new winlock
https://www.virustotal.com/file-scan/re ... 1294795567

Very funny Winlock, written on dot net.



Distributes through fake Kaspersky site (hxxp://www.kaspepsky.ru). Very detailed copy.

Download source hxxp://kaspepsky.ru/downloads/internetsecurity.updater.exe



Autorun through HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell as c:\windows\system32\explorerr.exe

Unblock is kinda problematic because of
so Alt+F4

kaspepsky.ru/downloads/
is open directory

Yes I've noticed that. There also another winlock of the same type :)

EP_X0FF wrote:some new way to store unblock key and several attempts to fool reversers.

not really new (see old samples i've attached)
http://www.youtube.com/watch?v=qf5x1Pp8oz8


authorized chars.

edit: hahaha