SYMBOLCOMMON_NAMEaka. SYNONYMS
win.virlock (Back to overview)

VirLock

VTCollection    

Polymorphic parasitic file infecting virus which transforms files into copies of itself. Additionally it uses screen-locking as a ransomware technique.

References
2021-08-24Basque Cybersecurity CentreBasque Cybersecurity Centre
VIRLOCK
VirLock
2019-07-15BlackberryBlackberry Research
Threat Spotlight: Virlock Polymorphic Ransomware
VirLock
2017-02-02Trend MicroTrend Micro
Ransomware Recap: January 14 - 29, 2017
Charger VirLock
2016-01-29Virus BulletinAndrei Nacu, Mihail Androinic, Vlad Craciun
VB2015 paper: It's A File Infector... It’s Ransomware... It's Virlock
VirLock
2014-12-22ESET ResearchESET Research
Virlock: First Self‑Reproducing Ransomware is also a Shape Shifter
VirLock
Yara Rules
[TLP:WHITE] win_virlock_auto (20230808 | Detects win.virlock.)
rule win_virlock_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.virlock."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.virlock"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? e8???????? ff15???????? 61 3bcb 7532 60 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   e8????????           |                     
            //   ff15????????         |                     
            //   61                   | popal               
            //   3bcb                 | cmp                 ecx, ebx
            //   7532                 | jne                 0x34
            //   60                   | pushal              

        $sequence_1 = { 9d cde6 81b4e570805c4af32b0cf0 e602 a4 b592 9c }
            // n = 7, score = 100
            //   9d                   | popfd               
            //   cde6                 | int                 0xe6
            //   81b4e570805c4af32b0cf0     | xor    dword ptr [ebp + 0x4a5c8070], 0xf00c2bf3
            //   e602                 | out                 2, al
            //   a4                   | movsb               byte ptr es:[edi], byte ptr [esi]
            //   b592                 | mov                 ch, 0x92
            //   9c                   | pushfd              

        $sequence_2 = { 68???????? eb0a 68???????? 68???????? e8???????? 83fa00 751b }
            // n = 7, score = 100
            //   68????????           |                     
            //   eb0a                 | jmp                 0xc
            //   68????????           |                     
            //   68????????           |                     
            //   e8????????           |                     
            //   83fa00               | cmp                 edx, 0
            //   751b                 | jne                 0x1d

        $sequence_3 = { 81f2???????? 81f35e473bfc 81f308f661fc 81f37dc97000 e8???????? bb8aedf4f9 baf2edecff }
            // n = 7, score = 100
            //   81f2????????         |                     
            //   81f35e473bfc         | xor                 ebx, 0xfc3b475e
            //   81f308f661fc         | xor                 ebx, 0xfc61f608
            //   81f37dc97000         | xor                 ebx, 0x70c97d
            //   e8????????           |                     
            //   bb8aedf4f9           | mov                 ebx, 0xf9f4ed8a
            //   baf2edecff           | mov                 edx, 0xffecedf2

        $sequence_4 = { 45 58 58 46 54 4f 53 }
            // n = 7, score = 100
            //   45                   | inc                 ebp
            //   58                   | pop                 eax
            //   58                   | pop                 eax
            //   46                   | inc                 esi
            //   54                   | push                esp
            //   4f                   | dec                 edi
            //   53                   | push                ebx

        $sequence_5 = { eb07 3106 83c604 ebea 83f901 754a }
            // n = 6, score = 100
            //   eb07                 | jmp                 9
            //   3106                 | xor                 dword ptr [esi], eax
            //   83c604               | add                 esi, 4
            //   ebea                 | jmp                 0xffffffec
            //   83f901               | cmp                 ecx, 1
            //   754a                 | jne                 0x4c

        $sequence_6 = { 42 4b 4e 53 47 4b 56 }
            // n = 7, score = 100
            //   42                   | inc                 edx
            //   4b                   | dec                 ebx
            //   4e                   | dec                 esi
            //   53                   | push                ebx
            //   47                   | inc                 edi
            //   4b                   | dec                 ebx
            //   56                   | push                esi

        $sequence_7 = { 44 56 53 49 4f 45 }
            // n = 6, score = 100
            //   44                   | inc                 esp
            //   56                   | push                esi
            //   53                   | push                ebx
            //   49                   | dec                 ecx
            //   4f                   | dec                 edi
            //   45                   | inc                 ebp

        $sequence_8 = { 8bf8 90 e9???????? 8807 90 42 90 }
            // n = 7, score = 100
            //   8bf8                 | mov                 edi, eax
            //   90                   | nop                 
            //   e9????????           |                     
            //   8807                 | mov                 byte ptr [edi], al
            //   90                   | nop                 
            //   42                   | inc                 edx
            //   90                   | nop                 

        $sequence_9 = { bb53203dfd 3106 83c604 bb975ea4f7 ebb5 83f901 }
            // n = 6, score = 100
            //   bb53203dfd           | mov                 ebx, 0xfd3d2053
            //   3106                 | xor                 dword ptr [esi], eax
            //   83c604               | add                 esi, 4
            //   bb975ea4f7           | mov                 ebx, 0xf7a45e97
            //   ebb5                 | jmp                 0xffffffb7
            //   83f901               | cmp                 ecx, 1

    condition:
        7 of them and filesize < 4202496
}
Download all Yara Rules