Sunday, 18 September 2011

Winlock Builder [Private] v1.30

Winlock scareware:
English translation by @Sherb1n

Coder: Qunned

Special features:

- Pleasant and convenient dark GUI
- Blocks taskmgr.exe, cmd.exe, osk.exe, explorer.exe, etc.
- Blocks hotkeys and hotkey combos (for example, Alt+F4, Ctrl+Alt+Del, Win+E, Win+D, Alt+Tab)
- Disables mouse
- Build size: 38.5KB
- Number randomization (Up to 9 text combinations, each field takes up to 20 characters, and numbers/text are displayed randomly)
- Packed with UPX
- Icon can be changed.
- Background color can be changed.
- Fully-editable text (up to 1,000 chars)
- Monitoring dashboard

Monitoring dashboard allows you to keep track of all your infected users; it displays infection date, IP, and the user’s current status (infected/active).

When using the monitoring function you remain anonymous because the gate is located on our servers, so you don’t have to worry about your anonymity.

- Auto-start.
- Option to use an image (in development)
- Works in safe mode.
- Self-deletion
- Automatic free updates (+cleanup)

Video demo:

Monitoring demo:


1. You are forbidden from re-selling any program components (builder, individual builds, licenses) without an explicit permission from the operators. If you violate this rule, we’ll apply sanctions.
2. You are forbidden from scanning the builds using free AV services that send reports to AV makers; if you violate this rule, the operator reserves the right to revoke your license. (Example:
3. At their own discretion, the operators have the right to revoke a customer’s license if the customer forces them to do it. (For example: insults/threats.)
4. Refund is possible only when the customer is not satisfied with the functionality, and he notifies us on the day of purchase.
5. Ignorance of rules does not exempt you from responsibility.


Standard, 3 months - 25$
Standard, 6 months - 40$
Standard, 12 months - 75$

Professional, 3 months - 30$
Professional, 6 months - 50$
Professional, 12 months - 80$

Price per build - 10$

Monitoring and Randomization functions are available for Professional packages only!


[+] You can order ad placement in the builder for 40$/month; the ad is displayed when the builder is launched and every 10 minutes.

[+] You can become our partner and help re-sell the builder; more info on ICQ.

'Demo' video made by QunneD for presenting the product:

The builder is custom packed, coded in Delphi and have a size of 2,64 Mb
Splash screen and license check of Winlock Builder v1.30:

Keyfile check:

 serial.p act as a license file and ini file, Timer3OnTimer function is core component of license checking (file check/parsing and enables/disables features depending on license data)

How work the winlock now..
Here the idea is on the same style as the old 'homoblocker ransomware'
build.exe (97,5 Kb without upx) is a ransom loader.

It call the gate

Drop the payload 'MineFile' stored in ressource

Create a .bat file for reboot the computer (from ressource too)

@echo off
shutdown -r -f -t "3" -c "Ваша копия Windows заблокирована!"

Copy the payload:
C:\Documents and Settings\Administrateur\Local Settings\Application Data\WL Pro\swap32.exe

Create a startup regkey for the payload:

Launch the reboot procedure

And ExitProcess.

Now the payload, swap32.exe (51,5 Kb) is more basic, it just check for new created process and if "taskmgr.exe" or "explorer.exe" are detected, it will kill them.

The ransomware:

Serial check:

Call again the gate if the serial is good but for says its clean now.

Infected computer monitoring (this winlock is interesting for that)


  1. The guy seems to be from Estonia, though writes in russian.

    He makes certain mistakes in words that only russians make (related to certain grammar forms of verbs).

  2. Мда, тупой русских "хакир", что возомнил себя гением.
    винлокер ни о чем - убирается за 3 минуты из под livecd, mbr-lock и тот интереснее был


  4. I need a hold ASAP