Une sample que S!Ri ma envoyer...
Bien coriace, comparé au autres versions, ce ransomware la, bloque l'utilisateur, plutôt bien.
L'infection prend tout l'écran et il et toujours au premier plan (même taskmgr et au second plan)
Rapport VT
Traduction française:
From S!Ri:
This trojan blocker prevent all software execution. Infected Users need to send a text call to get a valid serial number to remove the Trojan.
My Keygen:
asm file:
.486
;Merci a qpt
.model flat, stdcall
option casemap :none ; case sensitive
include keygen.inc
include \masm32\macros\macros.asm
.code
start:
invoke GetModuleHandle, NULL
mov hInstance, eax
invoke DialogBoxParam, hInstance, 101, 0, ADDR DlgProc, 0
invoke ExitProcess, eax
; -------------------------------------------------
DlgProc proc hWin :DWORD,
uMsg :DWORD,
wParam :DWORD,
lParam :DWORD
.if uMsg == WM_COMMAND
.if wParam == IDC_OK
; -------------------------------------------------
add Rndm,'cvbd'
Rol Rndm,4
invoke wsprintf,addr Random1,chr$('%08d'),Rndm
add Rndm,'zxcv'
Rol Rndm,4
invoke wsprintf,addr Random2,chr$('%08d'),Rndm
mov esi,offset Random1+2
mov edi,offset Serial+2
mov ecx,3
rep movsb
mov esi,offset Random2+2
mov edi,offset Serial+6
mov ecx,2
rep movsb
Invoke SetDlgItemText,hWin,IDC_SERIAL,addr Serial
; -------------------------------------------------
.elseif wParam == IDC_IDCANCEL
invoke EndDialog,hWin,0
.endif
.elseif uMsg == WM_CLOSE
invoke EndDialog,hWin,0
.elseif uMsg == WM_INITDIALOG
mov Rndm,'asdf'
.endif
xor eax,eax
ret
DlgProc endp
end start
;Merci a qpt
.model flat, stdcall
option casemap :none ; case sensitive
include keygen.inc
include \masm32\macros\macros.asm
.code
start:
invoke GetModuleHandle, NULL
mov hInstance, eax
invoke DialogBoxParam, hInstance, 101, 0, ADDR DlgProc, 0
invoke ExitProcess, eax
; -------------------------------------------------
DlgProc proc hWin :DWORD,
uMsg :DWORD,
wParam :DWORD,
lParam :DWORD
.if uMsg == WM_COMMAND
.if wParam == IDC_OK
; -------------------------------------------------
add Rndm,'cvbd'
Rol Rndm,4
invoke wsprintf,addr Random1,chr$('%08d'),Rndm
add Rndm,'zxcv'
Rol Rndm,4
invoke wsprintf,addr Random2,chr$('%08d'),Rndm
mov esi,offset Random1+2
mov edi,offset Serial+2
mov ecx,3
rep movsb
mov esi,offset Random2+2
mov edi,offset Serial+6
mov ecx,2
rep movsb
Invoke SetDlgItemText,hWin,IDC_SERIAL,addr Serial
; -------------------------------------------------
.elseif wParam == IDC_IDCANCEL
invoke EndDialog,hWin,0
.endif
.elseif uMsg == WM_CLOSE
invoke EndDialog,hWin,0
.elseif uMsg == WM_INITDIALOG
mov Rndm,'asdf'
.endif
xor eax,eax
ret
DlgProc endp
end start
inc file:
include windows.inc
uselib MACRO libname
include libname.inc
includelib libname.lib
ENDM
uselib user32
uselib kernel32
DlgProc PROTO :DWORD,:DWORD,:DWORD,:DWORD
IDC_OK equ 1003
IDC_IDCANCEL equ 1004
IDC_SERIAL equ 1002
.data
Rndm dd 0,0
Serial db "17xxx8xx",0
.data?
hInstance dd ? ;dd can be written as dword
Random1 db 10h dup(?)
Random2 db 10h dup(?)
uselib MACRO libname
include libname.inc
includelib libname.lib
ENDM
uselib user32
uselib kernel32
DlgProc PROTO :DWORD,:DWORD,:DWORD,:DWORD
IDC_OK equ 1003
IDC_IDCANCEL equ 1004
IDC_SERIAL equ 1002
.data
Rndm dd 0,0
Serial db "17xxx8xx",0
.data?
hInstance dd ? ;dd can be written as dword
Random1 db 10h dup(?)
Random2 db 10h dup(?)
rc file:
;This Resource Script was generated by WinAsm Studio.
#define IDC_OK 1003
#define IDC_CANCEL 1004
#define IDC_STATIC1006 1006
#define IDC_STATIC1005 1005
1 24 DISCARDABLE "manifest.xml"
101 DIALOGEX 0,0,177,38
CAPTION "Trojan.Ransomware *Keygen*"
FONT 8,"Tahoma"
STYLE 0x10c00800
EXSTYLE 0x00000000
BEGIN
CONTROL "Generate",IDC_OK,"Button",0x10000001,100,22,44,13,0x00000000
CONTROL "Exit",IDC_CANCEL,"Button",0x10000000,150,22,24,13,0x00000000
CONTROL "",1002,"Edit",0x10000880,30,6,144,12,0x00000200
CONTROL "Serial",IDC_STATIC1006,"Static",0x50000000,7,9,20,9,0x00000000
CONTROL "20/08/2010",IDC_STATIC1005,"Static",0x58000000,3,28,44,9,0x00000000
END
#define IDC_OK 1003
#define IDC_CANCEL 1004
#define IDC_STATIC1006 1006
#define IDC_STATIC1005 1005
1 24 DISCARDABLE "manifest.xml"
101 DIALOGEX 0,0,177,38
CAPTION "Trojan.Ransomware *Keygen*"
FONT 8,"Tahoma"
STYLE 0x10c00800
EXSTYLE 0x00000000
BEGIN
CONTROL "Generate",IDC_OK,"Button",0x10000001,100,22,44,13,0x00000000
CONTROL "Exit",IDC_CANCEL,"Button",0x10000000,150,22,24,13,0x00000000
CONTROL "",1002,"Edit",0x10000880,30,6,144,12,0x00000200
CONTROL "Serial",IDC_STATIC1006,"Static",0x50000000,7,9,20,9,0x00000000
CONTROL "20/08/2010",IDC_STATIC1005,"Static",0x58000000,3,28,44,9,0x00000000
END
If your windows is blocked by this ransomware, use our keygen to remove it.
Good Job, sir.
ReplyDeleteAwesome Job !
ReplyDelete