A forum for reverse engineering, OS internals and malware analysis 

Trojan.Winlock - Lock Em All

Forum for analysis and discussion about malware.

Trojan.Winlock - Lock Em All

 #4513  by EP_X0FF
 Tue Mar 16, 2010 6:51 pm
This trojan blocker prevents all software execution by displaying all top window that constantly redraws. To remove the Trojan (and unlock windows), infected users need to enter a valid serial number.

Named Lock Em All because of the specific window name.

Image

Once installed it looks like:

Image

Autoruns through HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit as %systemroot%\system32\usrinit.exe

UPDATE July 2011.

Image

Locker has evolved a few months later.

URLS list 26.07.2011

starting from 26 July Lock'Em'All ransomware moved to dedicated bulletproof server hosted by SIA LEMGA criminals affiliated hosting
hxxp://binxx3fi.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://rim5ttds.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://kinvivifas.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://boomfporka.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://z4nixxxi.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://rim5tporn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://azxpoixx.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://ebatporkas.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://fingopas.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://xxxbuxc.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://3rewporn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://ttedhoki.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://sukazporka.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://cbipoxf.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://ndcporka.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://frtnnbc.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://w2biporn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://zx1uporn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://llz3porn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://ebpoino.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://5uporn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://4tporl.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://llkzporn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://hnyporka.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://1qporka.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://sukporn1.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://hhn3por.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://2tipornn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://wq1porm.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://4youporn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://3vvporn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://ffporm.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://sv2porn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://w3nixx.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://gnpotk.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://2bioko.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://us1porn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://w3vporn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://w2yporn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://w1porka.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://new3porn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://rim2bi.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://4xrubin.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://diporn1.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://3zuporn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://2nporn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://1biporn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://z4porn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://qqyygf.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://hnkporn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://llzxzt.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://mixntrd.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://zzporrno.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://fimsporn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://xvidcoms.s3.amazonaws.com/xxx_video.exe DELETED

All client.jp domains suspended or deleted due to abuse.

hxxp://farsioce.client.jp/xxx_video.exe DELETED
hxxp://lecwovil.client.jp/xxx_video.exe DELETED
hxxp://gutfmulti.client.jp/xxx_video.exe DELETED
hxxp://longhanbi.client.jp/xxx_video.exe DELETED
hxxp://ceinopxent.client.jp/xxx_video.exe DELETED
hxxp://clucessnor.client.jp/xxx_video.exe DELETED
hxxp://schoolcountthu.client.jp/xxx_video.exe DELETED
hxxp://rachaword.client.jp/xxx_video.exe DELETED
hxxp://saterdest.client.jp/xxx_video.exe DELETED
hxxp://liaschedaf.client.jp/xxx_video.exe DELETED
hxxp://terdesa.client.jp/xxx_video.exe DELETED
hxxp://visadchi.client.jp/xxx_video.exe DELETED
hxxp://neutricfer.client.jp/xxx_video.exe DELETED
hxxp://idabcoun.client.jp/xxx_video.exe DELETED
hxxp://pzigoket.client.jp/xxx_video.exe DELETED
hxxp://comvapun.client.jp/xxx_video.exe DELETED

hxxp://comdunnbeantrocart.narod.ru/xxx_video.exe INVESTIGATED/CLOSED
hxxp://racviphossotu.narod.ru/xxx_video.exe INVESTIGATED/CLOSED
hxxp://northvalgikacen.narod.ru/xxx_video.exe INVESTIGATED/CLOSED
hxxp://glitiheslynchea.narod.ru/xxx_video.exe INVESTIGATED/CLOSED
hxxp://nievialansscharen.narod.ru/xxx_video.exe INVESTIGATED/CLOSED
hxxp://brazunengavi.narod.ru/xxx_video.exe INVESTIGATED/CLOSED
hxxp://caropesiter.narod.ru/xxx_video.exe INVESTIGATED/CLOSED
hxxp://penfbaddisctranev.narod.ru/xxx_video.exe INVESTIGATED/CLOSED
hxxp://mobejustita.narod.ru/xxx_video.exe INVESTIGATED/CLOSED

Lock'Em'All URL's list at 26.01.2011
Update 28.01.2011
Due to our abuse Yandex suspended all listed below sites.
hxxp://lyudmilazhmkosomovnn.narod2.ru/xxx_video.exe
hxxp://gennadiyeimisalovuk.narod2.ru/xxx_video.exe
hxxp://efimyuyguskovshcha.narod2.ru/xxx_video.exe
hxxp://varvaraishkandinskiyf.narod2.ru/xxx_video.exe
hxxp://daniilgrkrutoyzu.narod2.ru/xxx_video.exe
hxxp://lidiyadmvitinskiyvm.narod2.ru/xxx_video.exe
hxxp://adolftsboyarinove.narod2.ru/xxx_video.exe
hxxp://stepanyggorokhovshchk.narod2.ru/xxx_video.exe
hxxp://evgeniyayaiardankinyae.narod2.ru/xxx_video.exe
hxxp://elzachabalakhnovgshch.narod2.ru/xxx_video.exe
hxxp://veronikauemagazinerga.narod2.ru/xxx_video.exe
hxxp://leonidyueenotineyu.narod2.ru/xxx_video.exe
hxxp://raisakykapitonovsshch.narod2.ru/xxx_video.exe
hxxp://oksanaerlashkinchb.narod2.ru/xxx_video.exe
hxxp://mariyakhkhblinovlb.narod2.ru/xxx_video.exe
hxxp://alangtdemenkovzl.narod2.ru/xxx_video.exe
hxxp://stellappkolomiytsevyo.narod2.ru/xxx_video.exe
hxxp://anfisayrlagutovakh.narod2.ru/xxx_video.exe
hxxp://ninatikramovai.narod2.ru/xxx_video.exe
hxxp://alisaudbaltabevbl.narod2.ru/xxx_video.exe
hxxp://angelinaeevakhrushevym.narod2.ru/xxx_video.exe
hxxp://margaritakhnbagroviyu.narod2.ru/xxx_video.exe
hxxp://azariynnbarsovzhshch.narod2.ru/xxx_video.exe
hxxp://aristarkhefmarkelovep.narod2.ru/xxx_video.exe
hxxp://yuriyshakuzkineg.narod2.ru/xxx_video.exe
hxxp://zinaidakhlzubarevoch.narod2.ru/xxx_video.exe
hxxp://petrzpkuzmichg.narod2.ru/xxx_video.exe
hxxp://olegyatlevkinzh.narod2.ru/xxx_video.exe
hxxp://valeriyashebabatoch.narod2.ru/xxx_video.exe
hxxp://timurzpkalmykovmi.narod2.ru/xxx_video.exe
hxxp://vyacheslavushchglobazh.narod2.ru/xxx_video.exe
hxxp://anastasiyayblobanrv.narod2.ru/xxx_video.exe
hxxp://ivangykoryavinmu.narod2.ru/xxx_video.exe
hxxp://adolfdenabokinyuu.narod2.ru/xxx_video.exe
hxxp://alisayuivoronkovyy.narod2.ru/xxx_video.exe
hxxp://antonshchbesfamilnovzk.narod2.ru/xxx_video.exe
hxxp://milenaesdurkinbsh.narod2.ru/xxx_video.exe
hxxp://vladimiroyaburkinyum.narod2.ru/xxx_video.exe
hxxp://fainaommikhalevsy.narod2.ru/xxx_video.exe
hxxp://sofyaechbutylinyshch.narod2.ru/xxx_video.exe
hxxp://makareebesfamilnovyab.narod2.ru/xxx_video.exe
hxxp://efimyskostinop.narod2.ru/xxx_video.exe
hxxp://antonmboldaevoo.narod2.ru/xxx_video.exe
hxxp://antoninatbbershovgi.narod2.ru/xxx_video.exe
hxxp://adamzavaluevtse.narod2.ru/xxx_video.exe
hxxp://adakhukanalinfo.narod2.ru/xxx_video.exe
hxxp://anzheyyuedagintst.narod2.ru/xxx_video.exe
hxxp://vitaliygkdemchenkogs.narod2.ru/xxx_video.exe
hxxp://eduardzhgzhurovfu.narod2.ru/xxx_video.exe
hxxp://vyacheslavpygachevyae.narod2.ru/xxx_video.exe
hxxp://daryaykarginya.narod2.ru/xxx_video.exe
hxxp://vitaliymtslapinel.narod2.ru/xxx_video.exe
hxxp://nikitatzallenoviyu.narod2.ru/xxx_video.exe
hxxp://susannayzhbarentsevuzh.narod2.ru/xxx_video.exe
hxxp://karinafmamelintl.narod2.ru/xxx_video.exe
hxxp://vladimirbsvalievpe.narod2.ru/xxx_video.exe
hxxp://valentinalykuzminykhkh.narod2.ru/xxx_video.exe
hxxp://konstantinbdkruteleve.narod2.ru/xxx_video.exe
hxxp://rimmafbanrepzy.narod2.ru/xxx_video.exe
hxxp://adolfkyuignatkovichp.narod2.ru/xxx_video.exe
hxxp://tracenin.narod.ru/xxx_video.exe
hxxp://susannafdegtinshr.narod2.ru/xxx_video.exe
hxxp://andreyshchpburyakovt.narod2.ru/xxx_video.exe
hxxp://albinapdvorobevyaa.narod2.ru/xxx_video.exe
hxxp://semenstnovikovzhkh.narod2.ru/xxx_video.exe
hxxp://valeriyaankatkiner.narod2.ru/xxx_video.exe
hxxp://petrtchignatevzd.narod2.ru/xxx_video.exe
hxxp://alevtinaulepikhovkhg.narod2.ru/xxx_video.exe
hxxp://ivettasfgorelovishch.narod2.ru/xxx_video.exe
hxxp://karinaeshchlachkovzhv.narod2.ru/xxx_video.exe
hxxp://prokhorshzmilekhintts.narod2.ru/xxx_video.exe
hxxp://alinazhmerokhinyl.narod2.ru/xxx_video.exe
hxxp://daryayarkuptsovshts.narod2.ru/xxx_video.exe
hxxp://olgaazignatenkovfl.narod2.ru/xxx_video.exe
hxxp://denisbfzhelezkinfkh.narod2.ru/xxx_video.exe
hxxp://semenspkaravaevev.narod2.ru/xxx_video.exe
hxxp://mariyapvmalakhovmy.narod2.ru/xxx_video.exe
hxxp://susannayukhmyshkinde.narod2.ru/xxx_video.exe
hxxp://gennadiybgistominfa.narod2.ru/xxx_video.exe
hxxp://elzalklomadurovlts.narod2.ru/xxx_video.exe
All these sites are duplicate. The only difference (not always) in payload Winlock.
And the only difference inside Winlock is tel numbers (string array, number selects randomly) and unblock code they have on board.
Winlock packed with UPX and protected by some crappy VB cryptor.

Re: Trojan Winlock / Ransom / ScreenLocker

 #3495  by EP_X0FF
 Mon Nov 15, 2010 10:40 am
xxx_video (2)

runs via HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit as %systemroot%\system32\usrinit.exe

Unblock key is 98673 (hardcoded inside binary).

Window specifically named.

edit:
Second is the same, just slightly changed and recrypted.

Unblock code is 123456789.

Here is unpacked for analysis.

Feel the difference in naming :)
Different naming in most cases means that original detection was based on packer layer, specific packer data.

original
http://www.virustotal.com/file-scan/rep ... 1289818885

unpacked
http://www.virustotal.com/file-scan/rep ... 1289818892
Attachments
lolz.GIF
lolz.GIF (3.55 KiB) Viewed 1750 times
Last edited by EP_X0FF on Tue Jan 18, 2011 7:07 am, edited 1 time in total. Reason: merged 2 my posts in one

Re: Trojan Winlock / Ransom / ScreenLocker

 #3510  by Jaxryley
 Tue Nov 16, 2010 1:13 am
Thanks for testing and info EP_X0FF. 8-)

Have installed net framework into all my XP VM's as it's annoying when any malware won't run if it's missing. LOL :twisted:

Re: Trojan Winlock / Ransom / ScreenLocker

 #3516  by nullptr
 Tue Nov 16, 2010 4:45 pm
EP_X0FF wrote:Second is the same, just slightly changed and recrypted.

Here is unpacked for analysis.
Any hints on how you were able to unpack this vb crap would be most appreciated. :)

Re: Trojan Winlock / Ransom / ScreenLocker

 #3518  by EP_X0FF
 Tue Nov 16, 2010 4:53 pm
Already deleted all stuff. In short - traced a little in debugger, dumped, fixed sections + import recovery, resource rebuild. Don't remember exactly but one of these samples was additionally packed with PECompact.

Re: Trojan Winlock / Ransom / ScreenLocker

 #3776  by EP_X0FF
 Tue Nov 30, 2010 1:06 pm
Similar to this http://www.kernelmode.info/forum/viewto ... 3496#p3496

Unblock key is 5590114

Both original and unpacked attached.

http://www.virustotal.com/file-scan/rep ... 1291122505
http://www.virustotal.com/file-scan/rep ... 1291122509

edit:

Another variant of the same trash. Seems to be they only recrypt and change unblock key.

Source hxxp://z.emozgetcherez.ru/xxx_video.exe (81.177.6.6) Server producing updated executables almost every day for a long time.

Unblock key is 9208841

http://www.virustotal.com/file-scan/rep ... 1291539640
Attachments
pass: malware
(24.75 KiB) Downloaded 104 times
Last edited by EP_X0FF on Tue Jan 18, 2011 7:08 am, edited 1 time in total. Reason: merged 2 my posts in one

Re: Trojan Winlock / Ransom / ScreenLocker

 #3901  by nullptr
 Thu Dec 09, 2010 1:14 pm
As above, the same vb crypter
MD5 : 5aef3c0aa8a55a94e58f57bc509ca6bc
SHA1 : 05146156ac61e17bdeb1c45baf60e46e39798a87

original - http://www.virustotal.com/file-scan/rep ... 1291853823 - 29/43

unpacked - http://www.virustotal.com/file-scan/rep ... 1291899671 - 24/42

original file, unpacked and unlock code attached.
Attachments
password : malware
(28.41 KiB) Downloaded 90 times

Re: Trojan Winlock / Ransom / ScreenLocker

 #4455  by EP_X0FF
 Sat Jan 15, 2011 10:05 am
xxx_video is back, kiddies switched hosting (previous was suspended).

Unblock key 90650231

source hxxp://ruvipxxxa.ru/x/xxx_video.exe

kiddies are very productive, so probably new rebuild with new key will be released maybe even today

http://www.virustotal.com/file-scan/rep ... 1293121465

Image

edit:

Winlock "Lock Em All"

Unblock key 80633210

Source hxxp://lectfenu.narod.ru/xxx_video.exe
Could be more in near future with different unblock codes.

And the name of Script Kiddie - Anton.
file://localhost/C:/Documents and Settings/anton/Рабочий стол/шаблон/Новая папка/Бесплатное видео - Видео для взрослых онлайн бесплатно, порно онлайн, секс онлайн.htm
Lock Em All (from "KissMyAss")

http://www.virustotal.com/file-scan/rep ... 1294828843

Tel to call
8-965-410-18-28
8-965-265-90-43
8-965-349-54-86
8-964-726-13-05
8-962-932-68-24
8-962-932-61-98
8-962-946-59-35
8-965-397-97-74
8-965-368-62-83
8-962-932-86-59
8-964-776-85-38
8-965-340-45-23
8-965-391-93-23
8-965-397-55-37
8-903-203-15-06
8-903-202-97-76
8-965-350-76-13
8-965-265-91-09
8-965-397-97-53
8-903-202-89-00
Unblock code 8893020

Source hxxp://adolfkyuignatkovichp.narod2.ru/xxx_video.exe

edit0:

Lock Em All from "KissMyAss"

http://www.virustotal.com/file-scan/rep ... 1295082352

Tel to call
8-903-103-26-31
8-965-368-63-07
8-965-375-16-52
8-967-139-46-77
8-963-636-71-70
8-963-724-50-69
8-965-211-05-09
8-963-724-50-56
8-965-375-25-31
8-963-625-39-08
8-965-368-63-00
8-965-375-21-68
8-965-397-54-82
8-963-725-38-59
8-903-574-51-80
8-903-103-23-52
8-963-725-38-62
8-903-285-65-21
8-905-530-49-67
8-903-556-34-49
8-965-211-04-94
8-962-936-40-57
8-965-376-02-84
8-964-724-16-09
8-903-574-49-86
8-903-285-67-59
8-965-397-54-80
8-963-625-39-16
8-903-103-23-74
8-963-724-50-49
8-963-724-65-42
8-906-047-90-95
8-903-668-87-62
8-906-047-88-35
8-903-668-87-74
8-903-668-88-43
8-964-595-72-90
8-964-531-80-84
8-964-531-91-71
8-964-532-24-53
8-964-532-26-61
8-964-531-41-26
8-964-531-54-61
8-967-091-89-04
8-964-531-07-52
Unblock key 773020547

Source hxxp://eduardzhgzhurovfu.narod2.ru/xxx_video.exe

edit1:

Lock Em All

http://www.virustotal.com/file-scan/rep ... 1295084919
8-903-534-67-60
8-903-534-65-94
8-903-534-65-29
8-963-630-60-12
8-903-238-39-66
8-903-238-29-61
8-903-238-39-94
8-903-238-40-02
8-903-238-39-65
8-903-238-39-86
8-965-376-97-17
8-965-377-67-34
8-965-376-01-37
8-965-377-16-21
8-965-377-03-80
8-965-376-99-18
8-965-376-98-45
8-965-377-15-93
8-965-377-16-20
8-963-661-50-54
8-963-661-49-45
8-963-661-48-85
8-965-377-12-43
8-965-376-16-71
8-965-376-17-61
8-965-377-20-47
8-965-376-18-33
8-965-376-18-91
8-965-377-20-80
8-965-376-07-88
8-962-970-87-45
8-962-970-87-73
8-965-377-74-52
8-965-377-77-24
8-963-635-28-22
8-963-635-28-51
8-963-635-28-57
8-963-635-28-59
8-963-635-28-34
8-963-635-28-12
8-963-635-28-11
8-963-635-28-04
Unblock key 8863314

Source hxxp://daryaykarginya.narod2.ru/xxx_video.exe

edit2:

Lock Em All

http://www.virustotal.com/file-scan/rep ... 1295085416
8-965-389-00-51
8-962-932-61-89
8-964-779-40-31
8-965-388-99-85
8-964-726-14-54
8-962-932-62-63
8-965-375-17-90
8-964-779-40-64
8-962-941-31-47
8-965-391-94-21
8-965-397-56-81
8-962-932-62-54
8-903-202-60-12
8-964-779-01-49
8-962-932-68-22
8-965-410-19-37
8-965-137-20-55
8-903-285-69-46
8-965-410-19-23
8-965-251-57-76
8-965-397-56-62
8-965-388-99-87
8-965-312-84-68
8-962-941-15-84
8-965-410-19-35
8-962-941-30-77
8-965-339-50-51
8-965-391-93-45
8-965-375-17-87
8-963-724-50-57
8-965-375-98-31
8-965-350-73-26
8-903-103-16-44
8-965-397-54-78
8-963-724-64-76
8-962-946-59-36
8-965-340-45-38
8-965-375-97-44
8-962-936-39-85
8-963-724-65-76
Unblock key 103999551

Source hxxp://vitaliymtslapinel.narod2.ru/xxx_video.exe

Sample similar to previously attached (only tel/unblock is different) so no sense to attach it again.

Lock Em All

http://www.virustotal.com/file-scan/rep ... 1295085762

Tel to call
8-903-534-67-60
8-903-534-65-94
8-903-534-65-29
8-963-630-60-12
8-903-238-39-66
8-903-238-29-61
8-903-238-39-94
8-903-238-40-02
8-903-238-39-65
8-903-238-39-86
8-965-376-97-17
8-965-377-67-34
8-965-376-01-37
8-965-377-16-21
8-965-377-03-80
8-965-376-99-18
8-965-376-98-45
8-965-377-15-93
8-965-377-16-20
8-963-661-50-54
8-963-661-49-45
8-963-661-48-85
8-965-377-12-43
8-965-376-16-71
8-965-376-17-61
8-965-377-20-47
8-965-376-18-33
8-965-376-18-91
8-965-377-20-80
8-965-376-07-88
8-962-970-87-45
8-962-970-87-73
8-965-377-74-52
8-965-377-77-24
8-963-635-28-22
8-963-635-28-51
8-963-635-28-57
8-963-635-28-59
8-963-635-28-34
8-963-635-28-12
8-963-635-28-11
8-963-635-28-04
Unblock key 8863314

Source hxxp://antonmboldaevoo.narod2.ru/xxx_video.exe

edit:

Lock Em All

http://www.virustotal.com/file-scan/rep ... 1295086272
8-906-096-84-30
8-906-096-84-29
8-906-096-84-19
8-906-096-83-99
8-906-096-83-93
8-906-096-83-57
8-906-096-83-12
8-906-096-82-96
8-906-096-82-83
8-906-096-82-71
8-906-096-81-89
8-906-096-80-85
8-906-096-80-35
8-906-096-98-14
8-906-096-97-82
8-906-096-97-55
8-906-096-79-98
8-906-096-79-82
8-906-096-79-25
8-906-096-75-90
8-906-096-76-27
8-906-096-76-28
8-906-096-99-02
8-906-096-98-95
8-906-096-98-84
8-906-096-98-90
8-906-096-98-82
8-906-096-98-79
8-906-096-98-72
8-906-096-98-66
8-906-096-98-56
8-906-096-98-54
8-906-096-98-29
8-906-096-98-28
8-906-097-10-74
8-906-097-10-79
8-906-097-10-80
8-906-097-11-20
8-906-097-11-24
8-906-097-11-26
8-963-662-94-73
8-963-662-96-33
8-963-662-97-22
8-963-662-97-67
8-963-661-73-04
8-963-661-74-91
8-963-661-75-54
8-963-661-47-55
8-963-661-47-26
8-963-661-79-03
8-963-661-75-91
8-963-661-47-99
8-963-661-55-61
8-963-661-55-01
8-963-661-53-94
8-963-661-53-84
8-963-661-53-48
8-963-661-79-90
Unblock key 8059632

Source hxxp://adakhukanalinfo.narod2.ru/xxx_video.exe

edit2:

Lock Em All

http://www.virustotal.com/file-scan/rep ... 1295086626
8-962-941-15-40
8-903-285-68-01
8-964-779-37-22
8-965-312-83-42
8-962-941-30-63
8-965-312-84-15
8-963-625-39-03
8-962-931-07-78
8-965-250-84-46
8-965-388-99-89
8-965-312-83-44
8-965-410-19-34
8-962-932-62-57
8-964-779-39-58
8-965-410-18-22
8-965-375-03-73
8-964-724-13-69
8-965-312-83-36
8-965-251-80-42
8-964-779-37-53
8-965-143-89-16
8-962-941-33-39
8-964-726-14-72
8-962-932-68-08
8-965-347-15-37
8-903-202-59-65
8-964-726-13-07
8-965-350-73-72
8-965-397-56-83
8-962-932-61-95
8-962-945-64-62
8-965-389-00-56
8-964-726-14-49
8-965-397-56-29
8-903-203-02-66
8-962-941-33-47
8-964-726-14-47
8-965-143-85-74
8-965-340-45-24
8-965-410-17-46
Unblock key 36420102

Source hxxp://milenaesdurkinbsh.narod2.ru/xxx_video.exe

http://www.virustotal.com/file-scan/rep ... 1295087300

Tel to call
8-965-388-99-52
8-903-202-98-47
8-903-202-98-86
8-965-388-99-24
8-964-778-59-57
8-962-932-66-39
8-962-932-66-42
8-965-287-06-75
8-965-287-06-87
8-903-202-99-12
8-965-388-99-61
8-965-388-99-57
8-965-388-99-58
8-962-932-66-37
8-962-941-11-05
Unblock key 8875510

Source hxxp://anzheyyuedagintst.narod2.ru/xxx_video.exe


http://www.virustotal.com/file-scan/rep ... 1295181998
http://www.virustotal.com/file-scan/rep ... 1295182910

Tel to call
8-965-377-73-10
8-965-377-71-60
8-965-377-68-65
8-964-539-49-65
8-964-539-49-71
8-964-539-49-93
8-964-539-35-10
8-964-539-35-18
8-964-539-36-09
8-964-539-42-00
8-964-539-43-11
8-964-537-59-60
8-964-539-14-87
8-964-539-16-60
8-965-376-16-41
8-965-376-13-16
8-965-376-10-17
8-965-376-09-85
8-965-376-08-42
Unblock key 33920504

Source hxxp://fainaommikhalevsy.narod2.ru/xxx_video.exe
Source hxxp://efimyskostinop.narod2.ru/xxx_video.exe

edit:

Lock Em All (very hot, compiled is about 2 hours ago with Visual Studio runtime, so it won't work without 2008 runtime, some sort of fail)

http://www.virustotal.com/file-scan/rep ... 1295182492

Tel to call
8-906-096-62-03
8-906-096-62-16
8-906-096-86-12
8-906-096-62-27
8-906-096-85-99
8-906-096-69-53
8-906-096-69-33
8-906-096-68-09
8-906-096-67-99
8-906-096-67-45
8-906-096-67-27
8-906-096-66-84
8-906-096-66-25
8-906-096-65-66
8-906-096-65-82
8-906-096-65-50
8-906-096-64-80
8-906-096-64-58
8-906-096-64-45
8-906-096-63-87
8-965-378-09-91
8-967-151-52-77
8-967-151-52-78
8-965-357-85-36
8-965-357-87-73
8-965-378-18-29
8-965-378-18-24
8-965-378-18-23
8-965-378-16-91
8-965-378-16-63
8-965-378-16-55
8-965-378-15-68
8-965-378-11-45
8-965-378-13-00
Unblock key 00059070

Source hxxp://vladimirbsvalievpe.narod2.ru/xxx_video.exe

edit2:

Lock Em All

http://www.virustotal.com/file-scan/rep ... 1295183328

Tel to call
8-909-650-39-36
8-909-650-39-37
8-909-650-42-51
8-909-650-42-40
8-909-650-42-14
8-909-650-42-11
8-909-650-42-02
8-909-650-41-87
8-909-650-41-68
8-909-650-41-64
8-909-650-41-57
8-909-650-41-49
8-909-650-44-70
8-909-650-44-60
8-906-097-14-42
8-906-097-14-25
8-906-097-14-09
8-906-097-13-94
8-906-097-13-93
8-906-097-13-91
8-903-202-97-53
8-903-203-11-79
8-965-410-17-38
8-965-340-45-32
8-965-265-90-20
Unblock key 99105784

Source hxxp://antoninatbbershovgi.narod2.ru/xxx_video.exe
Last edited by EP_X0FF on Fri Feb 04, 2011 6:09 am, edited 5 times in total. Reason: edit, merged my own posts in one

Re: Trojan Winlock / Ransom / ScreenLocker

 #4502  by Xylitol
 Mon Jan 17, 2011 7:43 am
xxx_video.exe
Number to Call: 8-903-534-68-77 ~ 89035346877
Code to unlock Windows: 18203478

Image

Image

sources:
Code: Select all
hxxp://susannafdegtinshr.narod2.ru/
hxxp://andreyshchpburyakovt.narod2.ru/
hxxp://albinapdvorobevyaa.narod2.ru/
also a domain not noticed:
Code: Select all
hxxp://semenstnovikovzhkh.narod2.ru/
Attachments
see archive coment for password
(36.08 KiB) Downloaded 87 times
 Return to “Malware”