KernelMode.info

A forum for reverse engineering, OS internals and malware analysis
https://www.kernelmode.info/forum/

Trojan Winlock / Ransom / ScreenLocker

https://www.kernelmode.info/forum/viewtopic.php?f=16&t=194

Page 6 of 9

Re: Trojan Ransom / Winlock - WinAD

PostPosted:Tue Jul 26, 2011 1:28 pm
by mrbelyash
Need winlock's with webmoney
Who knows? :shock:

Re: Trojan Ransom WinAD (alias Ransom.DN, Winlock)

PostPosted:Fri Aug 12, 2011 2:33 am
by mrbelyash
pass-virus

code?

Re: Trojan Winlock / Ransom / ScreenLocker

PostPosted:Fri Aug 12, 2011 1:29 pm
by Xylitol
mrbelyash wrote:pass-virus

code?
Payload extract in %systemroot%/saliter.exe
exe file is powered by "Increditools Flash EXE Builder"
SWF File is dropped into %appdata%/IFViewer/[Random numbers]
i'm not a flash cracker pro but i've see nothing related to a serial check inside the flash file.
in attach the swf winlock.

Image
Code: Select all
// Action script...

// [Action in Frame 1]
if (getBytesLoaded() >= getBytesTotal())
{
    gotoAndPlay(5);
} // end if

// [Action in Frame 3]
if (getBytesLoaded() >= getBytesTotal())
{
    gotoAndPlay(5);
} // end if

// [Action in Frame 4]
progress = int(getBytesLoaded() * 100 / getBytesTotal()) add "% - loading Flash...";
gotoAndPlay(3);

// [Action in Frame 19]
stop ();

// [Action in Frame 34]
stop ();

// [Action in Frame 49]
stop ();

// [Action in Frame 64]
stop ();

// [Action in Frame 79]
stop ();

// [Action in Frame 81]
stop ();

// [Action in Frame 96]
stop ();

// [Action in Frame 111]
stop ();
the 'Frame 81' is the bad boy.

Re: Trojan Winlock / Ransom / ScreenLocker

PostPosted:Fri Aug 12, 2011 2:54 pm
by mrbelyash
Xylitol wrote:
mrbelyash wrote:pass-virus

code?
Payload extract in %systemroot%/saliter.exe
exe file is powered by "Increditools Flash EXE Builder"
SWF File is dropped into %appdata%/IFViewer/[Random numbers]
i'm not a flash cracker pro but i've see nothing related to a serial check inside the flash file.
in attach the swf winlock.

Image
Code: Select all
// Action script...

// [Action in Frame 1]
if (getBytesLoaded() >= getBytesTotal())
{
    gotoAndPlay(5);
} // end if

// [Action in Frame 3]
if (getBytesLoaded() >= getBytesTotal())
{
    gotoAndPlay(5);
} // end if

// [Action in Frame 4]
progress = int(getBytesLoaded() * 100 / getBytesTotal()) add "% - loading Flash...";
gotoAndPlay(3);

// [Action in Frame 19]
stop ();

// [Action in Frame 34]
stop ();

// [Action in Frame 49]
stop ();

// [Action in Frame 64]
stop ();

// [Action in Frame 79]
stop ();

// [Action in Frame 81]
stop ();

// [Action in Frame 96]
stop ();

// [Action in Frame 111]
stop ();
the 'Frame 81' is the bad boy.
Bad ;(

-ALT+F4
-Win+U
profit

Re: Trojan Winlock / Ransom / ScreenLocker

PostPosted:Sat Aug 13, 2011 3:26 am
by Brock
I partially (too boring to continue) reversed one of the winlock/ransom variants last year, nothing too interesting that I saw but the concept was a nice one, a lot of money has been paid to unlock these computers. IIRC it dropped the main executing binary from a resource file, used ownerdrawn controls, disabled keyboard input unless it was numbers 0 - 9 for a "pass code" or some shit like this. Definitely Russian origin, the message basically told me that I would have to pay $ to retrieve a pass code and do so with SMS messages or whatever. I think the GUI was blue and black and had white text, no idea which variant that was.

I have also seen other such stuff which simply lock you out by switching desktops to a new one which is created (CreateDesktop/SwitchDesktop) along with some other bells and whistles such as restricting access to taskman (registry key). I have designed such software myself but for administration purposes only

Re: Trojan Winlock / Ransom / ScreenLocker

PostPosted:Sat Aug 13, 2011 4:07 pm
by EP_X0FF
Ransom "System Antivirus Microsoft 2011"

Another creature distributed by LockEmAll gang, similar of this were active few months ago.

Image

See attach for dropper (it's even not packed), crap written on Delphi + KOL.
When dropped and executed - writes data to registry and restarts computer with ExitWindowsEx call.

Tel numbers:
89162416577
89150032561
89160232860
89057024639
Runs through
HKLM, HKCU SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
Not so aggressive like LockEmAll, but also annoying. Currently distributed through site with equal to LockEmAll pattern with Blackhole exploit kit embedded.

http://www.virustotal.com/file-scan/rep ... 1313248835

Source
hxxp://virobala.in/porn_video.exe

Re: Trojan Winlock / Ransom / ScreenLocker

PostPosted:Sat Aug 20, 2011 11:54 am
by mrbelyash
pass-virus

Re: Trojan Winlock / Ransom / ScreenLocker

PostPosted:Sat Aug 20, 2011 7:47 pm
by GMax
mrbelyash wrote:pass-virus
Image

Number to call:
+7 981 887 10 82
+7 981 878 43 51
+7 981 887 10 83

no unlock code

Re: Trojan Winlock / Ransom / ScreenLocker

PostPosted:Fri Aug 26, 2011 11:11 am
by EP_X0FF
System Antivirus Microsoft 2011

Image

Numbers to call:
89162563189
89150306152
89150319790
Code: Select all
CODE:004079B0                 mov     edx, offset _str_8901432.Text
CODE:004079B5                 call    @System@@LStrCmp$qqrv ; System::__linkproc__ LStrCmp(void)
CODE:004079BA                 jnz     short loc_4079D7
Unblock code: 8901432

In attach both - original and fully decrypted.

Distribution domain has been blocked.

Full list of domain names allocated to use as drop zones for this type of Ransom trojan.

ZASEUJEK.RU
VELUIO.RU
VALANTUREST.RU
UKPANAMARE.RU
OKEOKEOKE.RU
ADULTVIDEORUS.RU
ZDARAVKI.RU
XXXPOREVOO.RU
RAZVRATSPBE.RU
RUSADALT.RU
PISSI4KI.RU
GIRLZP.RU
BOYXXX.RU
BOYGIR.RU
ZELLLKA.RU
OPPOSMOTRI.RU
CEEELKA.RU
ARHIVNU.RU

Re: Trojan Winlock / Ransom / ScreenLocker

PostPosted:Sun Aug 28, 2011 10:07 am
by EP_X0FF
Another one "System Antivirus Microsoft 2011"
Unblock code: 094431221

In attach original and unpacked.
All times are UTC
Page 6 of 9
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/