[mrbelyash]

Need winlock's with webmoney
Who knows? :shock:

[mrbelyash]

pass-virus

code?

[Xylitol]

pass-virus

code?

Payload extract in %systemroot%/saliter.exe
exe file is powered by "Increditools Flash EXE Builder"
SWF File is dropped into %appdata%/IFViewer/[Random numbers]
i'm not a flash cracker pro but i've see nothing related to a serial check inside the flash file.
in attach the swf winlock.

Code: Select all

// Action script...

// [Action in Frame 1]
if (getBytesLoaded() >= getBytesTotal())
{
    gotoAndPlay(5);
} // end if

// [Action in Frame 3]
if (getBytesLoaded() >= getBytesTotal())
{
    gotoAndPlay(5);
} // end if

// [Action in Frame 4]
progress = int(getBytesLoaded() * 100 / getBytesTotal()) add "% - loading Flash...";
gotoAndPlay(3);

// [Action in Frame 19]
stop ();

// [Action in Frame 34]
stop ();

// [Action in Frame 49]
stop ();

// [Action in Frame 64]
stop ();

// [Action in Frame 79]
stop ();

// [Action in Frame 81]
stop ();

// [Action in Frame 96]
stop ();

// [Action in Frame 111]
stop ();

the 'Frame 81' is the bad boy.

[mrbelyash]

pass-virus

code?

Payload extract in %systemroot%/saliter.exe
exe file is powered by "Increditools Flash EXE Builder"
SWF File is dropped into %appdata%/IFViewer/[Random numbers]
i'm not a flash cracker pro but i've see nothing related to a serial check inside the flash file.
in attach the swf winlock.

Code: Select all

// Action script...

// [Action in Frame 1]
if (getBytesLoaded() >= getBytesTotal())
{
    gotoAndPlay(5);
} // end if

// [Action in Frame 3]
if (getBytesLoaded() >= getBytesTotal())
{
    gotoAndPlay(5);
} // end if

// [Action in Frame 4]
progress = int(getBytesLoaded() * 100 / getBytesTotal()) add "% - loading Flash...";
gotoAndPlay(3);

// [Action in Frame 19]
stop ();

// [Action in Frame 34]
stop ();

// [Action in Frame 49]
stop ();

// [Action in Frame 64]
stop ();

// [Action in Frame 79]
stop ();

// [Action in Frame 81]
stop ();

// [Action in Frame 96]
stop ();

// [Action in Frame 111]
stop ();

the 'Frame 81' is the bad boy.

Bad ;(

-ALT+F4
-Win+U
profit

[Brock]

I partially (too boring to continue) reversed one of the winlock/ransom variants last year, nothing too interesting that I saw but the concept was a nice one, a lot of money has been paid to unlock these computers. IIRC it dropped the main executing binary from a resource file, used ownerdrawn controls, disabled keyboard input unless it was numbers 0 - 9 for a "pass code" or some shit like this. Definitely Russian origin, the message basically told me that I would have to pay $ to retrieve a pass code and do so with SMS messages or whatever. I think the GUI was blue and black and had white text, no idea which variant that was.

I have also seen other such stuff which simply lock you out by switching desktops to a new one which is created (CreateDesktop/SwitchDesktop) along with some other bells and whistles such as restricting access to taskman (registry key). I have designed such software myself but for administration purposes only

[EP_X0FF]

Ransom "System Antivirus Microsoft 2011"

Another creature distributed by LockEmAll gang, similar of this were active few months ago.



See attach for dropper (it's even not packed), crap written on Delphi + KOL.
When dropped and executed - writes data to registry and restarts computer with ExitWindowsEx call.

Tel numbers:

89162416577
89150032561
89160232860
89057024639

Runs through

HKLM, HKCU SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Not so aggressive like LockEmAll, but also annoying. Currently distributed through site with equal to LockEmAll pattern with Blackhole exploit kit embedded.

http://www.virustotal.com/file-scan/rep ... 1313248835

Source
hxxp://virobala.in/porn_video.exe

[mrbelyash]

pass-virus

[GMax]

pass-virus

Number to call:
+7 981 887 10 82
+7 981 878 43 51
+7 981 887 10 83

no unlock code

[EP_X0FF]

System Antivirus Microsoft 2011



Numbers to call:

89162563189
89150306152
89150319790

Code: Select all

CODE:004079B0                 mov     edx, offset _str_8901432.Text
CODE:004079B5                 call    @System@@LStrCmp$qqrv ; System::__linkproc__ LStrCmp(void)
CODE:004079BA                 jnz     short loc_4079D7

Unblock code: 8901432

In attach both - original and fully decrypted.

Distribution domain has been blocked.

Full list of domain names allocated to use as drop zones for this type of Ransom trojan.

ZASEUJEK.RU
VELUIO.RU
VALANTUREST.RU
UKPANAMARE.RU
OKEOKEOKE.RU
ADULTVIDEORUS.RU
ZDARAVKI.RU
XXXPOREVOO.RU
RAZVRATSPBE.RU
RUSADALT.RU
PISSI4KI.RU
GIRLZP.RU
BOYXXX.RU
BOYGIR.RU
ZELLLKA.RU
OPPOSMOTRI.RU
CEEELKA.RU
ARHIVNU.RU

[EP_X0FF]

Another one "System Antivirus Microsoft 2011"
Unblock code: 094431221

In attach original and unpacked.