SYMBOLCOMMON_NAMEaka. SYNONYMS
win.virlock (Back to overview)

VirLock

VTCollection    

Polymorphic parasitic file infecting virus which transforms files into copies of itself. Additionally it uses screen-locking as a ransomware technique.

References
2021-08-24Basque Cybersecurity CentreBasque Cybersecurity Centre
VIRLOCK
VirLock
2019-07-15BlackberryBlackberry Research
Threat Spotlight: Virlock Polymorphic Ransomware
VirLock
2019-06-12GdataKarsten Hahn
Ransomware identification for the judicious analyst
Cerber Cryptowall CryptoFortress Locky PadCrypt Spora VirLock
2017-02-02Trend MicroTrend Micro
Ransomware Recap: January 14 - 29, 2017
Charger VirLock
2016-01-29Virus BulletinAndrei Nacu, Mihail Androinic, Vlad Craciun
VB2015 paper: It's A File Infector... It’s Ransomware... It's Virlock
VirLock
2014-12-22ESET ResearchESET Research
Virlock: First Self‑Reproducing Ransomware is also a Shape Shifter
VirLock
Yara Rules
[TLP:WHITE] win_virlock_auto (20260504 | Detects win.virlock.)
rule win_virlock_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.virlock."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.virlock"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 3006 ba6aa196ff 46 bae0fba3f9 ebc9 be???????? ba5e3718fa }
            // n = 7, score = 100
            //   3006                 | xor                 byte ptr [esi], al
            //   ba6aa196ff           | mov                 edx, 0xff96a16a
            //   46                   | inc                 esi
            //   bae0fba3f9           | mov                 edx, 0xf9a3fbe0
            //   ebc9                 | jmp                 0xffffffcb
            //   be????????           |                     
            //   ba5e3718fa           | mov                 edx, 0xfa18375e

        $sequence_1 = { 7552 ff35???????? 6a00 6a01 68???????? e8???????? e8???????? }
            // n = 7, score = 100
            //   7552                 | jne                 0x54
            //   ff35????????         |                     
            //   6a00                 | push                0
            //   6a01                 | push                1
            //   68????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     

        $sequence_2 = { a4 2af4 d8d5 ac 3122 a4 2a8e18e1cb3e }
            // n = 7, score = 100
            //   a4                   | movsb               byte ptr es:[edi], byte ptr [esi]
            //   2af4                 | sub                 dh, ah
            //   d8d5                 | fcom                st(5)
            //   ac                   | lodsb               al, byte ptr [esi]
            //   3122                 | xor                 dword ptr [edx], esp
            //   a4                   | movsb               byte ptr es:[edi], byte ptr [esi]
            //   2a8e18e1cb3e         | sub                 cl, byte ptr [esi + 0x3ecbe118]

        $sequence_3 = { 6a04 e8???????? 6aff ff35???????? 68???????? e8???????? e8???????? }
            // n = 7, score = 100
            //   6a04                 | push                4
            //   e8????????           |                     
            //   6aff                 | push                -1
            //   ff35????????         |                     
            //   68????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     

        $sequence_4 = { 44 43 50 49 4e 42 51 }
            // n = 7, score = 100
            //   44                   | inc                 esp
            //   43                   | inc                 ebx
            //   50                   | push                eax
            //   49                   | dec                 ecx
            //   4e                   | dec                 esi
            //   42                   | inc                 edx
            //   51                   | push                ecx

        $sequence_5 = { 43 49 55 41 4f 59 51 }
            // n = 7, score = 100
            //   43                   | inc                 ebx
            //   49                   | dec                 ecx
            //   55                   | push                ebp
            //   41                   | inc                 ecx
            //   4f                   | dec                 edi
            //   59                   | pop                 ecx
            //   51                   | push                ecx

        $sequence_6 = { 60 16 16 4c 6b1617 4c }
            // n = 6, score = 100
            //   60                   | pushal              
            //   16                   | push                ss
            //   16                   | push                ss
            //   4c                   | dec                 esp
            //   6b1617               | imul                edx, dword ptr [esi], 0x17
            //   4c                   | dec                 esp

        $sequence_7 = { 54 49 44 48 42 4b 51 }
            // n = 7, score = 100
            //   54                   | push                esp
            //   49                   | dec                 ecx
            //   44                   | inc                 esp
            //   48                   | dec                 eax
            //   42                   | inc                 edx
            //   4b                   | dec                 ebx
            //   51                   | push                ecx

        $sequence_8 = { bf56ab9071 53 a0???????? 5d bb6eab9071 53 e542 }
            // n = 7, score = 100
            //   bf56ab9071           | mov                 edi, 0x7190ab56
            //   53                   | push                ebx
            //   a0????????           |                     
            //   5d                   | pop                 ebp
            //   bb6eab9071           | mov                 ebx, 0x7190ab6e
            //   53                   | push                ebx
            //   e542                 | in                  eax, 0x42

        $sequence_9 = { b521 744c e75f 25490fe965 2e59 53 70c1 }
            // n = 7, score = 100
            //   b521                 | mov                 ch, 0x21
            //   744c                 | je                  0x4e
            //   e75f                 | out                 0x5f, eax
            //   25490fe965           | and                 eax, 0x65e90f49
            //   2e59                 | pop                 ecx
            //   53                   | push                ebx
            //   70c1                 | jo                  0xffffffc3

    condition:
        7 of them and filesize < 4202496
}
Download all Yara Rules