KernelMode.info

PostPosted:**Thu Jun 24, 2010 6:28 pm**

This thread if about Trojan Winlock aka Ransom/Homoblocker/ScreenLocker/LockScreen/Wlock.

VirusTotal
http://www.virustotal.com/ru/analisis/3 ... 1277403545

Runs through HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit key.
Works in safe mode. Displays some pr0n and locks desktop screen.

PostPosted:**Mon Nov 15, 2010 8:34 am**

This one needs to be run on real system Win 7 (or maybe Vista) to see the full effects.

It seems to be using something like the secure desktop background to lock the mouse in a window.

The mouse lock doesn't or can't seen to happen in a Win 7 VM.

First a diologue box appears with writing I can't understand where you can select numbers for input into a line and the mouse is captured in this screen.

Then a page opens behind with graphic pron scenes.

If anyone wants to have a look remember that graphic pron will show and you won't see the mouse lock if run in a VM but nothing else seems clickable if run in a Win 7 VM.

Doesn't seem to run properly in XP.

Malwarebytes - Trojan.Ransom
xxx_video.exe - 10/19 - MD5: 2bcae695288cd75a2d71c0dbb69359fd
http://virusscan.jotti.org/en/scanresul ... 1e32ac03f0

xxx_video.rar

Pass:
malware
(259.34 KiB) Downloaded 112 times

PostPosted:**Mon Nov 15, 2010 8:51 am**

Hello,

It needs Net Framework 2 to work.
Vista / Seven - it is built-in.

Sample runs through HKLM\... Run key as "Windows boot"

Can be removed from Safe mode.

Here is that crap unpacked. Written on Delphi, russian origin.

Regards.

PostPosted:**Tue Nov 16, 2010 9:59 pm**

How to kill em without a reset.

I use the free WinHotKey utility to set two hot keys that run RogueKiller when hit.

http://www.softpedia.com/progDownload/W ... 48832.html

http://www.sur-la-toile.com/RogueKiller/

Another sample:
xxx_video_77498.avi.exe - 22/43 - MD5 : 1980cdff48796a156a69bbc5b71b8bc6
http://www.virustotal.com/file-scan/rep ... 1289946117

xxx_video_77498.avi.rar

Pass:
malware
(28.51 KiB) Downloaded 92 times

PostPosted:**Wed Nov 17, 2010 7:08 am**

This one written on Delphi + KOL.

Usually I'm using my own tool designed to work specially with lockers.

PostPosted:**Mon Nov 22, 2010 2:24 pm**

XP VM.

This one instigates a reboot and hotkeys won't work with it active.

Had to boot from a live cd and delete the exe or you can put RogueKiller in the Startup folder before executing the sample which will kill the trojan's process at restart.

xpiofrbtkzhr.exe - 18/43 - TR/Ransom
http://www.virustotal.com/file-scan/rep ... 1290435591

xpiofrbtkzhr.rar

Pass:
infected
(44.02 KiB) Downloaded 89 times

PostPosted:**Sat Dec 11, 2010 3:43 am**

Delphi crypter, unpacked locker written in Delphi + KOL

Original + unpacked attached.

PostPosted:**Sun Dec 12, 2010 11:19 pm**

so how do i remove this bastard malware??

PostPosted:**Tue Dec 14, 2010 7:14 am**

treehouse786 wrote:so how do i remove this bastard malware??

unblock keys posted above

PostPosted:**Mon Dec 27, 2010 4:49 am**

Not many hits at VT.

xxx_video_26726.avi.exe - 4/43 - MD5 : 91096e06bc95a718d0b67661764a92b3
http://www.virustotal.com/file-scan/rep ... 1293425025

xxx_video_26726.avi.rar

Pass:
infected
(55.46 KiB) Downloaded 74 times

KernelMode.info

Trojan Winlock / Ransom / ScreenLocker

Trojan Winlock / Ransom / ScreenLocker

Trojan.Ransom

Re: Trojan.Ransom

Re: Trojan Winlock / Ransom / ScreenLocker

Re: Trojan Winlock / Ransom / ScreenLocker

Re: Trojan Winlock / Ransom / ScreenLocker

Re: Trojan Winlock / Ransom / ScreenLocker

Re: Trojan Winlock / Ransom / ScreenLocker

Re: Trojan Winlock / Ransom / ScreenLocker

Re: Trojan Winlock / Ransom / ScreenLocker