Thursday, 7 July 2011
Trojan-Ransom.Win32.Xorist - Encoder Builder v2.31
Another ransomware builder i've found by error (it's true!)
This one is from 2010 and the file encryption used XOR or TEA.
Interesting feature (hm... joke :þ) maybe the number of password attempt who conduct to a melt..
An output have a size of 10,5 Kb and after UPX: 6,5Kb (Builder in Delphi, stub in asm)
The unlock code for decrypts files is not stored in cleartext, but in build MD5x5 hash.
A good solution to recover files without knowing the password... maybe a generic loader for force the good unlock code, it's very weak:
WinLocker Builder v0.4 - Cracking Generated winlocks
WinLocker Builder v0.2/v0.3 - Cracking Generated winlocks
xddd.66ghz.com and the 4B XOR Ransomware