[Cody Johnston]

Hello,

Please merge this post if a topic including this type of ransomware already exists. I have seen this on a couple of customers computers over the last few days. This ransomware encrypts doc, pdf, jpg, rar, zip, etc and makes them all html files. Attached is a sample of one of the files.

It directs to the following site:

hxxp://mdlblock.in

Uses a UID from the PC as an argument when connecting to the page and displays content only when the UID is given.

I do not have a sample of the dropper yet, I'll post one as soon as I find it.

Here is a screenshot of what the user sees when attempting to open a file:

Code: Select all

Domain ID:D7317677-AFIN
Domain Name:MBLBLOCK.IN
Created On:08-May-2013 17:06:06 UTC
Last Updated On:08-May-2013 17:06:07 UTC
Expiration Date:08-May-2014 17:06:06 UTC
Sponsoring Registrar:Webiq Domains Solutions Pvt. Ltd. (R131-AFIN)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:WIQ_27797905
Registrant Name:Gerald Minhelm
Registrant Organization:N/A
Registrant Street1:176 reroad
Registrant City:Vegas
Registrant State/Province:LA
Registrant Postal Code:15781
Registrant Country:US
Registrant Phone:+1.1005520281
Registrant Email:g.minhelmmm@gmail.com

VT for the URL: https://www.virustotal.com/en/url/87132 ... /analysis/

[Xylitol]

awkward

Code: Select all

hxtp://mblblock.in/files/
hxtp://mblblock.in/pic/
hxtp://mblblock.in/style/
hxtp://mblblock.in/webstat/
hxtp://mblblock.in/modal/
hxtp://mblblock.in/i.php?uid={C22AEF4D-9122-8825-42A7-E0BFA1DD7EC5}
hxtp://mblblock.in/i.php?uid={D4D05D49-6B2D-881A-3082-D4DED9344AAB}
hxtp://mblblock.in/i.php?uid={1E475F6C-BD09-881A-8396-473D4CB1D947}
hxtp://mblblock.in/i.php?uid={CEF4D8C3-4285-881A-ABAB-D1F060964F8A}
hxtp://mblblock.in/core.php
hxtp://mblblock.in/time.php
hxtp://mblblock.in/func.php
hxtp://mblblock.in/step2.php
hxtp://mblblock.in/lang/en.php
hxtp://mblblock.in/lang/de.php
hxtp://mblblock.in/lang/es.php
hxtp://mblblock.in/lang/ca.php
hxtp://mblblock.in/lang/au.php
hxtp://mblblock.in/lang/gb.php
hxtp://mblblock.in/lang/at.php
hxtp://mblblock.in/lang/be.php
hxtp://mblblock.in/lang/ag.php
hxtp://mblblock.in/lang/mx.php
hxtp://mblblock.in/gate/soft.php
hxtp://mblblock.in/gate/core.php
hxtp://mblblock.in/gate/gate.php

https://www.virustotal.com/en/ip-addres ... formation/

Edit 17 may 2013: Gotcha !
sample in attach.
http://www.virustotal.com/file/e7818de3 ... 368756414/

[Dany3j]

Some way to decrypt the files?

[reverser]

For the sample posted by Xylitol, encryption seems to be RC6 and the key is:

Code: Select all

yrw^%$74@0(99GHJGK**&(^867*&^en2evwqevvnfd^&*^*&^$#$#@)**bnmccn

(64 bytes including the trailing 0)

Not sure yet if the key changes per client, but it doesn't look very random so probably the guy typed it manually.

EDIT: ah, it seems there's an additional scrambling applied to the file. If you upload one of the encrypted files, I can check if it can be decrypted.

[Dany3j]

@reverser Is the key different for every client?


I am attaching a sample files, original and encrypted. I used he sample posted by Xylitol.

[reverser]

Here's the decryptor, source and precompiled. Works on the posted files.

[Fabian Wosar]

A more user friendly decrypter is available here as well:

http://tmp.emsisoft.com/fw/decrypt_mblblock.exe

It will automatically detect the encrypted malware files and tries to recover the file names as well. My thanks go to both Xylitol for the actual malware sample and reverser for noticing the file size limitation that I completely missed and wondered why it didn't work properly for some files ;).

[Dany3j]

Thank you, very good job.

[ElPiedra]

Nice work Favian !!!

Guide for using Decrypt_MBLblock in Spanish:
http://www.forospyware.com/t460439.html



Salu2

[Quads]

Hmmmmm

Does the Spamhaus Agent XML advisory with the encryption adding .html to the end use the same encryption as this one (MBL advisory) I wonder.

Quads