A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #7959  by Xylitol
 Fri Aug 12, 2011 1:29 pm
mrbelyash wrote:pass-virus

code?
Payload extract in %systemroot%/saliter.exe
exe file is powered by "Increditools Flash EXE Builder"
SWF File is dropped into %appdata%/IFViewer/[Random numbers]
i'm not a flash cracker pro but i've see nothing related to a serial check inside the flash file.
in attach the swf winlock.

Image
Code: Select all
// Action script...

// [Action in Frame 1]
if (getBytesLoaded() >= getBytesTotal())
{
    gotoAndPlay(5);
} // end if

// [Action in Frame 3]
if (getBytesLoaded() >= getBytesTotal())
{
    gotoAndPlay(5);
} // end if

// [Action in Frame 4]
progress = int(getBytesLoaded() * 100 / getBytesTotal()) add "% - loading Flash...";
gotoAndPlay(3);

// [Action in Frame 19]
stop ();

// [Action in Frame 34]
stop ();

// [Action in Frame 49]
stop ();

// [Action in Frame 64]
stop ();

// [Action in Frame 79]
stop ();

// [Action in Frame 81]
stop ();

// [Action in Frame 96]
stop ();

// [Action in Frame 111]
stop ();
the 'Frame 81' is the bad boy.
Attachments
pwd: xylibox
(2.04 MiB) Downloaded 60 times
 #7961  by mrbelyash
 Fri Aug 12, 2011 2:54 pm
Xylitol wrote:
mrbelyash wrote:pass-virus

code?
Payload extract in %systemroot%/saliter.exe
exe file is powered by "Increditools Flash EXE Builder"
SWF File is dropped into %appdata%/IFViewer/[Random numbers]
i'm not a flash cracker pro but i've see nothing related to a serial check inside the flash file.
in attach the swf winlock.

Image
Code: Select all
// Action script...

// [Action in Frame 1]
if (getBytesLoaded() >= getBytesTotal())
{
    gotoAndPlay(5);
} // end if

// [Action in Frame 3]
if (getBytesLoaded() >= getBytesTotal())
{
    gotoAndPlay(5);
} // end if

// [Action in Frame 4]
progress = int(getBytesLoaded() * 100 / getBytesTotal()) add "% - loading Flash...";
gotoAndPlay(3);

// [Action in Frame 19]
stop ();

// [Action in Frame 34]
stop ();

// [Action in Frame 49]
stop ();

// [Action in Frame 64]
stop ();

// [Action in Frame 79]
stop ();

// [Action in Frame 81]
stop ();

// [Action in Frame 96]
stop ();

// [Action in Frame 111]
stop ();
the 'Frame 81' is the bad boy.
Bad ;(

-ALT+F4
-Win+U
profit
 #7975  by Brock
 Sat Aug 13, 2011 3:26 am
I partially (too boring to continue) reversed one of the winlock/ransom variants last year, nothing too interesting that I saw but the concept was a nice one, a lot of money has been paid to unlock these computers. IIRC it dropped the main executing binary from a resource file, used ownerdrawn controls, disabled keyboard input unless it was numbers 0 - 9 for a "pass code" or some shit like this. Definitely Russian origin, the message basically told me that I would have to pay $ to retrieve a pass code and do so with SMS messages or whatever. I think the GUI was blue and black and had white text, no idea which variant that was.

I have also seen other such stuff which simply lock you out by switching desktops to a new one which is created (CreateDesktop/SwitchDesktop) along with some other bells and whistles such as restricting access to taskman (registry key). I have designed such software myself but for administration purposes only
 #7983  by EP_X0FF
 Sat Aug 13, 2011 4:07 pm
Ransom "System Antivirus Microsoft 2011"

Another creature distributed by LockEmAll gang, similar of this were active few months ago.

Image

See attach for dropper (it's even not packed), crap written on Delphi + KOL.
When dropped and executed - writes data to registry and restarts computer with ExitWindowsEx call.

Tel numbers:
89162416577
89150032561
89160232860
89057024639
Runs through
HKLM, HKCU SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
Not so aggressive like LockEmAll, but also annoying. Currently distributed through site with equal to LockEmAll pattern with Blackhole exploit kit embedded.

http://www.virustotal.com/file-scan/rep ... 1313248835

Source
hxxp://virobala.in/porn_video.exe
Attachments
pass: malware
(22.59 KiB) Downloaded 62 times
 #8285  by EP_X0FF
 Fri Aug 26, 2011 11:11 am
System Antivirus Microsoft 2011

Image

Numbers to call:
89162563189
89150306152
89150319790
Code: Select all
CODE:004079B0                 mov     edx, offset _str_8901432.Text
CODE:004079B5                 call    @System@@LStrCmp$qqrv ; System::__linkproc__ LStrCmp(void)
CODE:004079BA                 jnz     short loc_4079D7
Unblock code: 8901432

In attach both - original and fully decrypted.

Distribution domain has been blocked.

Full list of domain names allocated to use as drop zones for this type of Ransom trojan.

ZASEUJEK.RU
VELUIO.RU
VALANTUREST.RU
UKPANAMARE.RU
OKEOKEOKE.RU
ADULTVIDEORUS.RU
ZDARAVKI.RU
XXXPOREVOO.RU
RAZVRATSPBE.RU
RUSADALT.RU
PISSI4KI.RU
GIRLZP.RU
BOYXXX.RU
BOYGIR.RU
ZELLLKA.RU
OPPOSMOTRI.RU
CEEELKA.RU
ARHIVNU.RU
Attachments
pass: malware
(69.77 KiB) Downloaded 52 times
 #8311  by EP_X0FF
 Sun Aug 28, 2011 10:07 am
Another one "System Antivirus Microsoft 2011"
Unblock code: 094431221

In attach original and unpacked.
Attachments
pass: malware
(69.46 KiB) Downloaded 60 times
  • 1
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9