[EP_X0FF]

This thread if about Trojan Winlock aka Ransom/Homoblocker/ScreenLocker/LockScreen/Wlock.

VirusTotal
http://www.virustotal.com/ru/analisis/3 ... 1277403545

Runs through HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit key.
Works in safe mode. Displays some pr0n and locks desktop screen.

[Jaxryley]

This one needs to be run on real system Win 7 (or maybe Vista) to see the full effects.

It seems to be using something like the secure desktop background to lock the mouse in a window.

The mouse lock doesn't or can't seen to happen in a Win 7 VM.

First a diologue box appears with writing I can't understand where you can select numbers for input into a line and the mouse is captured in this screen.

Then a page opens behind with graphic pron scenes.

If anyone wants to have a look remember that graphic pron will show and you won't see the mouse lock if run in a VM but nothing else seems clickable if run in a Win 7 VM.

Doesn't seem to run properly in XP.

Malwarebytes - Trojan.Ransom
xxx_video.exe - 10/19 - MD5: 2bcae695288cd75a2d71c0dbb69359fd
http://virusscan.jotti.org/en/scanresul ... 1e32ac03f0

xxx_video.rar

Pass:
malware
(259.34 KiB) Downloaded 112 times

[EP_X0FF]

Hello,

It needs Net Framework 2 to work.
Vista / Seven - it is built-in.

Sample runs through HKLM\... Run key as "Windows boot"

Can be removed from Safe mode.

Here is that crap unpacked. Written on Delphi, russian origin.

Regards.

[Jaxryley]

How to kill em without a reset.

I use the free WinHotKey utility to set two hot keys that run RogueKiller when hit.

http://www.softpedia.com/progDownload/W ... 48832.html

http://www.sur-la-toile.com/RogueKiller/

Another sample:
xxx_video_77498.avi.exe - 22/43 - MD5 : 1980cdff48796a156a69bbc5b71b8bc6
http://www.virustotal.com/file-scan/rep ... 1289946117

xxx_video_77498.avi.rar

Pass:
malware
(28.51 KiB) Downloaded 92 times

[EP_X0FF]

This one written on Delphi + KOL.

Usually I'm using my own tool designed to work specially with lockers.

[Jaxryley]

XP VM.

This one instigates a reboot and hotkeys won't work with it active.

Had to boot from a live cd and delete the exe or you can put RogueKiller in the Startup folder before executing the sample which will kill the trojan's process at restart.

xpiofrbtkzhr.exe - 18/43 - TR/Ransom
http://www.virustotal.com/file-scan/rep ... 1290435591

xpiofrbtkzhr.rar

Pass:
infected
(44.02 KiB) Downloaded 89 times

[nullptr]

Delphi crypter, unpacked locker written in Delphi + KOL

Original + unpacked attached.

[treehouse786]

so how do i remove this bastard malware??

[kmd]

so how do i remove this bastard malware??

unblock keys posted above

[Jaxryley]

Not many hits at VT.

xxx_video_26726.avi.exe - 4/43 - MD5 : 91096e06bc95a718d0b67661764a92b3
http://www.virustotal.com/file-scan/rep ... 1293425025

xxx_video_26726.avi.rar

Pass:
infected
(55.46 KiB) Downloaded 74 times