KernelMode.info

A forum for reverse engineering, OS internals and malware analysis
https://www.kernelmode.info/forum/

Trojan Winlock / Ransom / ScreenLocker

https://www.kernelmode.info/forum/viewtopic.php?f=16&t=194

Page 7 of 9

Re: Trojan Winlock / Ransom / ScreenLocker

PostPosted:Wed Aug 31, 2011 7:02 am
by mrbelyash
pass-virus

No unlock functions?

Re: Trojan Winlock / Ransom / ScreenLocker

PostPosted:Wed Aug 31, 2011 7:20 pm
by Xylitol
Code: Select all
00407E39    E8 C2DCFFFF     CALL 00405B00                            ; JMP to USER32.GetWindowTextLengthA
i've found nothing.

Image

Re: Trojan Winlock / Ransom / ScreenLocker

PostPosted:Wed Aug 31, 2011 7:45 pm
by GMax
mrbelyash wrote:pass-virus

No unlock functions?
Unpacked file

Thread split

PostPosted:Fri Nov 18, 2011 2:41 pm
by EP_X0FF
International fake police alert ransoms discussion moved to dedicated topic

Re: Trojan Winlock / Ransom / ScreenLocker

PostPosted:Fri Dec 09, 2011 1:42 pm
by Xylitol
Image

7/43 >> 16.3%
http://www.virustotal.com/file-scan/rep ... 1323434065

come from a blackhole 1.2.1

Re: Trojan Winlock / Ransom / ScreenLocker

PostPosted:Fri Jan 06, 2012 6:15 am
by rkhunter
Another winlock, with aggressive behavior - Trojan:Win32/Ransom.EZ.

Makes impossible boot in safe mode - BSOD, because moves all services (from HKLM\System\CurrentControlSet\Control\SafeBoot) in special key - HKLM\System\CurrentControlSet\Control\SystemNls.

Runs from:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\system
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\iexplorer

Image

Re: Trojan Winlock / Ransom / ScreenLocker

PostPosted:Fri Jan 06, 2012 7:51 am
by mrbelyash
E13879A64D8D091D6B826ED002FA67CD.zip

http://mrbelyash.blogspot.com/2012/01/t ... 29177.html

щелкнуть по слову является

Re: Trojan Winlock / Ransom / ScreenLocker

PostPosted:Sun Jan 08, 2012 8:55 pm
by Xylitol
found on blackhole
Code: Select all
95.57.120.135/files/71
Image

Also this dll payload also from bh
Image

and the last is NSFW.

Re: Trojan Winlock / Ransom / ScreenLocker

PostPosted:Wed Jan 25, 2012 9:36 am
by mrbelyash
Image

U162230155893
U207622064801
U241939228576
U232408233067
U279445227788
U134116812055
U394793444245

code: kkkkkk

Re: Trojan Winlock / Ransom / ScreenLocker

PostPosted:Sun Feb 12, 2012 12:53 pm
by Xylitol
Image
16/43
https://www.virustotal.com/file/8146351 ... /analysis/

11/43 When unpacked
https://www.virustotal.com/file/8c200d5 ... /analysis/
All times are UTC
Page 7 of 9
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/