Written on Delphi, scrambled UPX (sometimes used PECompact, UPX + VB cryptor in later versions).
Kinda idiotic locker, because it's virtual keyboard does not allows to user enter non numeric chars, while unblock key is word not digits.
Comes from pornosites, as Flash Player update. This locker constantly updates, but only tel numbers and unblock code changes.
Runs through HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell, replacing original Explorer.exe entry
File location depends on where executable was stored by browser while downloading.
Tel to call (stored into TMemo.Lines, even pascal arrays are quite difficult to these locker authors)
Unblock key lord
To enter unblock code user needs to do some additional steps. For example execute Win Run command, type "lord", then Ctrl+A, then Ctrl+C and finally Ctrl+V to locker input window.
Reversed design mode
In attach both original and unpacked binaries.
Kinda idiotic locker, because it's virtual keyboard does not allows to user enter non numeric chars, while unblock key is word not digits.
Comes from pornosites, as Flash Player update. This locker constantly updates, but only tel numbers and unblock code changes.
Runs through HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell, replacing original Explorer.exe entry
File location depends on where executable was stored by browser while downloading.
Tel to call (stored into TMemo.Lines, even pascal arrays are quite difficult to these locker authors)
8-967-268-34-67
8-965-340-10-22
8-903-137-30-91
8-964-628-99-74
8-965-319-29-91
8-905-508-40-05
8-905-777-80-94
8-962-962-59-67
8-965-391-96-82
8-906-741-18-39
Unblock key lord
To enter unblock code user needs to do some additional steps. For example execute Win Run command, type "lord", then Ctrl+A, then Ctrl+C and finally Ctrl+V to locker input window.
Reversed design mode
In attach both original and unpacked binaries.
Attachments
pass: malware
(727.8 KiB) Downloaded 214 times
(727.8 KiB) Downloaded 214 times
Ring0 - the source of inspiration