A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #24547  by EP_X0FF
 Mon Dec 08, 2014 9:11 am
Malware that infects executable files on victim computer and ask to pay ransom in BTC.

Each infected executable is overwritted by copy of malware with saved icon of original executable. Massive executables infecting gives this malware ability to survive removal and re-infect PC.

Runs via
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Alters Windows Explorer settings:
1) file extensions -> reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2) hidden files -> reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Turn off UAC -> reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Monitors user activity -> blocks execution of several programs by looking for specific windows titles/classnames, including malware process names.
The following names are identified:
1) Windows Task Manager
2) Run
3) Open
4) malware process names (thus preventing to view process properties for example)
5) RegEdit_RegEdit

Capable of infecting removal drives.

Image

Example of infected file -> https://www.virustotal.com/en/file/113c ... /analysis/ (used gmer found on infected computer)

One of the VT reports for sample in archive
https://www.virustotal.com/en/file/4183 ... /analysis/
Dont be confused by high VT detection ratio - the only 4 products here correctly detect this malware.
Attachments
pass: infected
(941.28 KiB) Downloaded 181 times
 #28897  by Mosh
 Sun Jul 17, 2016 3:01 am
Hi

I don't know if this Ransomware is active again, looks like that nothing has changed in his functionality.

Virlock.exe
eeeb3519dbba09bd590076ab921e9d17
c92a20e3ce9756ea1b2a0f89626cd093e6de573b
a95f93b1a16559b07820aea239014c2169161ce23d378a05d0c82bf960941e30
805.0 KB
https://www.virustotal.com/es/file/a95f ... /analysis/

Regards!
Attachments
(729.33 KiB) Downloaded 63 times