Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Malware
  New Posts New Posts RSS Feed - Trojan Ransom (WinLock, LockScreen)
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Trojan Ransom (WinLock, LockScreen)

 Post Reply Post Reply
Author
Message
bootsect View Drop Down
Senior Member
Senior Member
Avatar

Joined: 24 December 2009
Status: Offline
Points: 747
Post Options Post Options   Thanks (0) Thanks(0)   Quote bootsect Quote  Post ReplyReply Direct Link To This Post Topic: Trojan Ransom (WinLock, LockScreen)
    Posted: 19 February 2010 at 3:45pm
Recently downloaded this ransomware with another bunch of trojans.

http://www.virustotal.com/analisis/43694f789039da280ddb348151b4169189b9727792c246c3319944ddfcc66bef-1266594218

Dropper dll, constains pr0n pictures and most of code

http://www.virustotal.com/analisis/96856c4d7de0e4bd05b1d0e6c365265658567e831c49a20881856f651fa8720f-1266594125

This piece of script-kiddies work gives me a lot of LOL while reversing process which takes about ten minutes.

This problem mostly actual only for Russia and Ukraine due to totally corrupted law-enforcement and mobile operators.

Typical behavior of Lockers trash:

When launched trojan set itself on autorun via registry keys.
Disabling taskmanager and blocking some tools from working.
Displayed invincible popup window over all desktop, blocking any kind of work.
Constantly redrawing itself and keeping topmost window.

This one displaying some pr0n and asking for money (varies from 300RUR to 1000+RUR). You need to send few SMS to get unblocking code. Typical ransom behavior oriented on low knowledgeable users.

Censored locker window


if ( a3 != 1 )
    return 0;
  v6 = GetDlgItem(hWnd, 1006);
  GetWindowTextA(v6, &String, 32);
  v5 = _atoi64(&String) + 148808; ;hardcoded constant
  if ( (_DWORD)v5 != 185109471 || HIDWORD(v5) != 1 )    ;hardcoded unblock first value 
  {
    if ( (_DWORD)v5 != 104501510 || HIDWORD(v5) != 2 ) ;hardcoded unblock second value
      goto ShowNagMessageBox;
    v7 = 1;
  }


So basically unblock code generated by this algorithm

1. Get window Edit Control text
2. atoi64 it
3. Add hardcoded constant to that value
4. Check is LowPart of Int64 == Some constant and HighPart of Int64 == Some constant
5. Ask second code, which is generated in same manner.

Valid unblock codes for this variant is:
1 stage. 4479927959
2 stage. 8694287294

If you are intested in pictures that trojan shows - here they are (simple archive with few low quality bmp's, not malware)

http://rapidshare.com/files/352899434/pr0n_pics.rar.html


Edited by bootsect - 19 February 2010 at 4:04pm
Back to Top
Meriadoc View Drop Down
Senior Member
Senior Member
Avatar

Joined: 22 August 2006
Status: Offline
Points: 240
Post Options Post Options   Thanks (0) Thanks(0)   Quote Meriadoc Quote  Post ReplyReply Direct Link To This Post Posted: 19 February 2010 at 6:42pm
LOL
Back to Top
bootsect View Drop Down
Senior Member
Senior Member
Avatar

Joined: 24 December 2009
Status: Offline
Points: 747
Post Options Post Options   Thanks (0) Thanks(0)   Quote bootsect Quote  Post ReplyReply Direct Link To This Post Posted: 22 February 2010 at 9:03am
Another locker found today.



Primitive trash coded on Delphi by script-kiddies.
Disables TaskManager and Safe Mode, draws invincible all screen window. Drop itself to Windows\System32 directory as xsystemsa.exe and sets itself for auto run via Run registry key under parameter name "explorep"

Unblock code hardcoded inside binary.
3323456

Controls__TControl__GetText(*(_DWORD *)(a1 + 772), &v16);
System____linkproc___LStrCmp(v16, &str_3323456[1]);


http://www.virustotal.com/analisis/1722181396ce20a467bb4225f00e533c62f22852c09412787f75fbaf21393676-1266829062


Edited by bootsect - 22 February 2010 at 9:06am
Back to Top
PROROOTECT View Drop Down
Senior Member
Senior Member
Avatar

Joined: 06 April 2008
Location: Fort Lee, NJ ..
Status: Offline
Points: 559
Post Options Post Options   Thanks (0) Thanks(0)   Quote PROROOTECT Quote  Post ReplyReply Direct Link To This Post Posted: 22 February 2010 at 1:40pm
* From Russia With LOVE: http://www.symantec.com/connect/fr/blogs/russia-love  - became more and more amorous ...LOL
 
* Russian Cybergangs Make the Web a Dangerous Place: http://www.pcworld.com/businesscenter/article/172642/russian_cybergangs_make_the_web_a_dangerous_place.html  - Partnerka ... Samossieiko wrote ...
 
* Russian Business Network (RBN): http://rbnexploit.blogspot.com/  - Blog - is a fairly blatant cybercrime and bullet proof hosting hub. WIKIPEDIA link: http://en.wikipedia.org/wiki/Russian_Business_Network
 
 
* More than 75,000 computer systems hacked in one of largest cyber attacks: http://www.washingtonpost.com/wp-dyn/content/article/2010/02/17/AR2010021705816.html  - security firms says ...
 
... etc etc ...
 
"""""""""""""""""""""""""""""""""""""""""""""""""""""""
 
Update (little):
 
 
* ... and West End Girls (YouTube): http://www.youtube.com/watch?v=Sd_K6Yk4-oE&feature=related  - yes, related to Eastern Boys ...Embarrassed
 
 
 
 
 
 
 


Edited by PROROOTECT - 22 February 2010 at 7:37pm
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down