Yesterday Vazonez released a new winlock generator
This hack tools build MBR lockers, it write the MBR, and request unlock code.
MBR code is based on an existing ransomware (Trojan.MBRlock.6).
You can configure the message text, password, unlock code, color and icon.
Here, a sample made by MBRLocker Builder v0.1 in action:
It's simple as usual for find the unlock code.
Edit 25 Jul 2k11: MBRLocker Builder v0.2 released
What's new ? fixed sector bug, Serial is now xored with a random key
IDA Schem of the serial check:
Hiew view:
More 10 sec to unxor the serial maybe.
I've made a VB6 code for retrieve serials of MBRLocker v0.2
'MBRLocker Builder v0.2 Generic serial retriever
'Contact: xylitol@malwareint.com
'Add just one Textbox with name: Text1
'Then just Drop your infected MBR Dump
Option Explicit
Dim XorKey, strSubstr, buffer, sHold, sText, sFileExtention, TotalChaine, Path, ipos, sOutput As String
Dim iLocationOfString1, iLocationOfString2, iCompareStyle As Long
Dim a, b, i As Integer
Private Sub Form_Load()
Forme.OLEDropMode = 1 'Manual Ole Drop Mode
End Sub
Private Sub Form_OLEDragDrop(Data As DataObject, _
Effect As Long, _
Button As Integer, _
Shift As Integer, _
X As Single, _
Y As Single)
With Data
sText = ""
If .GetFormat(vbCFFiles) Then
If .Files.Count = 1 Then
'Only one filename was dragged. Retrieve it.
Path = .Files(1) 'Note numeral 1.
'Pull text file data into our textbox.
Open Path For Input As #1
Do Until EOF(1)
Line Input #1, sHold
sText = sText & sHold & vbCrLf
Loop
Close #1
Text1.Text = sText
If .Files.Count > 1 Then
Exit Sub ' Dude, wtf are you doing here ?
End If
End If
End If
End With
ipos = InStr(1, Text1, "EnTeR c0d3:") 'Check 1
If ipos = "0" Then
Text1.Text = "Error: This is not a MBR or it's not infected"
Exit Sub
Else
ipos = InStr(1, Text1, "wExE") 'Check 2
If ipos = "0" Then
Text1.Text = "Error: This is not a MBR or it's not infected"
Exit Sub
Else
TotalChaine = ""
buffer = ""
Text1 = funcParseStringFromString2String(Text1, "EnTeR c0d3:", "wExE") 'Parsing
Text1 = Replace(Text1, " º€¹ ¸ » Í ê8 Š ‹}¬Š €ò", "") 'Remove useless shit (generic)
XorKey = Left$(Text1, 1) 'XOR Key
XorKey = Asc(XorKey) 'Get the Dec
strSubstr = Left$(Text1, 15) 'Hardcoded remove
Text1 = Replace(Text1, strSubstr, "") 'Remove hardcoded
For a = 1 To Len(Text1) 'Let's loop until the end
b = Asc(Mid(Text1, a, 1)) 'Grab one dec char
TotalChaine = XorKey Xor b 'unxor it
buffer = buffer & Chr(TotalChaine) 'make it char and add it to the final serial
Next
Text1 = buffer 'Final result
End If
End If
End Sub
Function funcParseStringFromString2String(sSourceString, sString1 As String, sString2 As String, Optional fCaseCaseInsensitive As Boolean = False) As String
If fCaseCaseInsensitive Then
iCompareStyle = vbTextCompare
Else
iCompareStyle = vbBinaryCompare
End If
sOutput = sSourceString
iLocationOfString1 = InStr(1, sOutput, sString1, iCompareStyle)
iLocationOfString2 = InStr(1, sOutput, sString2, iCompareStyle)
If iLocationOfString1 = 0 And iLocationOfString2 = 0 Then
'nothing found
sOutput = ""
Else
If Len(sString1) = 0 And Len(sString2) = 0 Then
'do nothing
ElseIf Len(sString1) = 0 Then
If iLocationOfString2 <> 0 Then
sOutput = Mid(sOutput, 1, iLocationOfString2 - 1)
End If
ElseIf Len(sString2) = 0 Then
sOutput = Mid(sOutput, iLocationOfString1 + Len(sString1))
Else
'cut off begining
If iLocationOfString1 <> 0 Then
sOutput = Mid(sOutput, iLocationOfString1 + Len(sString1))
End If
'take off the end part
iLocationOfString2 = InStr(1, sOutput, sString2, iCompareStyle)
If iLocationOfString2 <> 0 Then
sOutput = Mid(sOutput, 1, iLocationOfString2 - 1)
End If
End If
End If
funcParseStringFromString2String = sOutput
End Function
'Contact: xylitol@malwareint.com
'Add just one Textbox with name: Text1
'Then just Drop your infected MBR Dump
Option Explicit
Dim XorKey, strSubstr, buffer, sHold, sText, sFileExtention, TotalChaine, Path, ipos, sOutput As String
Dim iLocationOfString1, iLocationOfString2, iCompareStyle As Long
Dim a, b, i As Integer
Private Sub Form_Load()
Forme.OLEDropMode = 1 'Manual Ole Drop Mode
End Sub
Private Sub Form_OLEDragDrop(Data As DataObject, _
Effect As Long, _
Button As Integer, _
Shift As Integer, _
X As Single, _
Y As Single)
With Data
sText = ""
If .GetFormat(vbCFFiles) Then
If .Files.Count = 1 Then
'Only one filename was dragged. Retrieve it.
Path = .Files(1) 'Note numeral 1.
'Pull text file data into our textbox.
Open Path For Input As #1
Do Until EOF(1)
Line Input #1, sHold
sText = sText & sHold & vbCrLf
Loop
Close #1
Text1.Text = sText
If .Files.Count > 1 Then
Exit Sub ' Dude, wtf are you doing here ?
End If
End If
End If
End With
ipos = InStr(1, Text1, "EnTeR c0d3:") 'Check 1
If ipos = "0" Then
Text1.Text = "Error: This is not a MBR or it's not infected"
Exit Sub
Else
ipos = InStr(1, Text1, "wExE") 'Check 2
If ipos = "0" Then
Text1.Text = "Error: This is not a MBR or it's not infected"
Exit Sub
Else
TotalChaine = ""
buffer = ""
Text1 = funcParseStringFromString2String(Text1, "EnTeR c0d3:", "wExE") 'Parsing
Text1 = Replace(Text1, " º€¹ ¸ » Í ê8 Š ‹}¬Š €ò", "") 'Remove useless shit (generic)
XorKey = Left$(Text1, 1) 'XOR Key
XorKey = Asc(XorKey) 'Get the Dec
strSubstr = Left$(Text1, 15) 'Hardcoded remove
Text1 = Replace(Text1, strSubstr, "") 'Remove hardcoded
For a = 1 To Len(Text1) 'Let's loop until the end
b = Asc(Mid(Text1, a, 1)) 'Grab one dec char
TotalChaine = XorKey Xor b 'unxor it
buffer = buffer & Chr(TotalChaine) 'make it char and add it to the final serial
Next
Text1 = buffer 'Final result
End If
End If
End Sub
Function funcParseStringFromString2String(sSourceString, sString1 As String, sString2 As String, Optional fCaseCaseInsensitive As Boolean = False) As String
If fCaseCaseInsensitive Then
iCompareStyle = vbTextCompare
Else
iCompareStyle = vbBinaryCompare
End If
sOutput = sSourceString
iLocationOfString1 = InStr(1, sOutput, sString1, iCompareStyle)
iLocationOfString2 = InStr(1, sOutput, sString2, iCompareStyle)
If iLocationOfString1 = 0 And iLocationOfString2 = 0 Then
'nothing found
sOutput = ""
Else
If Len(sString1) = 0 And Len(sString2) = 0 Then
'do nothing
ElseIf Len(sString1) = 0 Then
If iLocationOfString2 <> 0 Then
sOutput = Mid(sOutput, 1, iLocationOfString2 - 1)
End If
ElseIf Len(sString2) = 0 Then
sOutput = Mid(sOutput, iLocationOfString1 + Len(sString1))
Else
'cut off begining
If iLocationOfString1 <> 0 Then
sOutput = Mid(sOutput, iLocationOfString1 + Len(sString1))
End If
'take off the end part
iLocationOfString2 = InStr(1, sOutput, sString2, iCompareStyle)
If iLocationOfString2 <> 0 Then
sOutput = Mid(sOutput, 1, iLocationOfString2 - 1)
End If
End If
End If
funcParseStringFromString2String = sOutput
End Function
Related ~
How to debug MBR Ransomware (14 Jul 2k11)
Trojan.MBRlock (xxxvideo.avi.exe) (9 Jul 2k11)
Trojan.MBRlock (xxxvideo.avi.exe) (4 Jul 2k11)
Trojan.MBRlock (output.exe) (25 Apr 2k11)
Already noticed on the past: here (25 Apr 2k11) ~ here (4 Jul 2k11) ~ here (9 Jul 2k11)
It's funny, because i got an MbrLocker, from this toolz i think, same text, same color, and xored serial ( in my case 0xED ) : http://blog.w4kfu.com/post/MBR_Locker
ReplyDeleteThanks for the article, i really enjoy your blog.
wrong vbcode
ReplyDeletewExE ?
Test plz