Sunday 22 August 2010

Trojan.Ransomware


Une sample que S!Ri ma envoyer...
Bien coriace, comparé au autres versions, ce ransomware la, bloque l'utilisateur, plutôt bien.
L'infection prend tout l'écran et il et toujours au premier plan (même taskmgr et au second plan)
Rapport VT


Traduction française:



From S!Ri:
 This trojan blocker prevent all software execution. Infected Users need to send a text call to get a valid serial number to remove the Trojan.

 My Keygen:
asm file:
.486
;Merci a qpt
.model  flat, stdcall
option  casemap :none   ; case sensitive

include     keygen.inc
include     \masm32\macros\macros.asm

.code

start:
    invoke  GetModuleHandle, NULL
    mov hInstance, eax
    invoke  DialogBoxParam, hInstance, 101, 0, ADDR DlgProc, 0
    invoke  ExitProcess, eax

; -------------------------------------------------

DlgProc proc    hWin    :DWORD,

        uMsg    :DWORD,
        wParam  :DWORD,
        lParam  :DWORD

    .if uMsg == WM_COMMAND
        .if wParam == IDC_OK

; -------------------------------------------------

            add Rndm,'cvbd'
            Rol Rndm,4
            invoke  wsprintf,addr Random1,chr$('%08d'),Rndm
            add Rndm,'zxcv'
            Rol Rndm,4
            invoke  wsprintf,addr Random2,chr$('%08d'),Rndm
            mov esi,offset Random1+2
            mov edi,offset Serial+2
            mov ecx,3
            rep movsb
            mov esi,offset Random2+2
            mov edi,offset Serial+6
            mov ecx,2
            rep movsb
            Invoke  SetDlgItemText,hWin,IDC_SERIAL,addr Serial

; -------------------------------------------------

        .elseif wParam == IDC_IDCANCEL
            invoke EndDialog,hWin,0
        .endif
    .elseif uMsg == WM_CLOSE
        invoke  EndDialog,hWin,0
    .elseif uMsg == WM_INITDIALOG
        mov Rndm,'asdf'
    .endif

    xor eax,eax
    ret
DlgProc endp



end start

inc file:
include windows.inc

uselib  MACRO   libname
    include     libname.inc
    includelib  libname.lib
ENDM

uselib  user32
uselib  kernel32

DlgProc     PROTO :DWORD,:DWORD,:DWORD,:DWORD

IDC_OK          equ 1003
IDC_IDCANCEL    equ 1004
IDC_SERIAL      equ 1002

.data

Rndm        dd  0,0
Serial      db  "17xxx8xx",0


.data?

hInstance       dd      ?   ;dd can be written as dword

Random1     db  10h dup(?)
Random2     db  10h dup(?)

rc file:
;This Resource Script was generated by WinAsm Studio.

#define IDC_OK 1003
#define IDC_CANCEL 1004
#define IDC_STATIC1006 1006
#define IDC_STATIC1005 1005

1 24 DISCARDABLE "manifest.xml"
101 DIALOGEX 0,0,177,38

CAPTION "Trojan.Ransomware *Keygen*"
FONT 8,"Tahoma"
STYLE 0x10c00800
EXSTYLE 0x00000000

BEGIN
    CONTROL "Generate",IDC_OK,"Button",0x10000001,100,22,44,13,0x00000000
    CONTROL "Exit",IDC_CANCEL,"Button",0x10000000,150,22,24,13,0x00000000
    CONTROL "",1002,"Edit",0x10000880,30,6,144,12,0x00000200
    CONTROL "Serial",IDC_STATIC1006,"Static",0x50000000,7,9,20,9,0x00000000
    CONTROL "20/08/2010",IDC_STATIC1005,"Static",0x58000000,3,28,44,9,0x00000000
END


If your windows is blocked by this ransomware, use our keygen to remove it.

2 comments: