Ransomware Banner - Execute, No Mercy
- Tutorial
Banners “Windows is blocked - send SMS to unlock” and their many variations immensely like to restrict access rights of free Windows users. Moreover, often the standard ways to get out of an unpleasant situation - correcting a problem from Safe Mode, unlock codes on ESET and DR Web sites, as well as transferring time on the BIOS clock to the future, do not always work.
Do you really have to reinstall the system or pay ransomware? Of course, you can go the simplest way, but isn’t it better to try to cope with an intrusive monster named Trojan.WinLock on our own and with our own resources, especially since you can try to solve the problem quickly and completely free of charge.
The first ransomware programs intensified in December 1989. Many users then received floppy disks providing information about the AIDS virus. After installing a small program, the system became inoperative. For her resuscitation, users were offered to fork out. The malicious activity of the first SMS-blocker, introducing users to the concept of “blue screen of death” was noted in October 2007.
Trojan.Winlock (Winlocker) is a representative of an extensive family of malicious programs, the installation of which leads to a complete block or significant difficulty in working with the operating system. Using the successful experience of their predecessors and advanced technologies, the developers of winlockers quickly turned a new page in the history of Internet fraud. Most of the virus modifications were received by users in the winter of 2009-2010, when, according to statistics, not one million personal computers and laptops were infected. The second peak of activity occurred in May 2010. Despite the fact that the number of victims of an entire generation of Trojan.Winlock Trojans has recently decreased significantly, and the fathers of the idea have been detained, the problem is still relevant.
The number of different versions of winlockers has exceeded thousands. In earlier versions (Trojan.Winlock 19, etc.), attackers demanded 10 rubles for unlocking access. The absence of any user activity after 2 hours led to the self-removal of the program, which left only unpleasant memories. Over the years, appetites grew, and to unlock the capabilities of Windows in later versions, it was already required 300 - 1000 rubles and higher, the developers modestly forgot about the program self-removal.
As payment options, the user is offered SMS - payment to a short number or an electronic wallet in WebMoney, Yandex Money systems. A factor that “encourages” an inexperienced user to make a payment is the probable viewing of porn sites, the use of unlicensed software ... And to increase efficiency, the ransomware text-message contains threats to destroy data on the user's computer when trying to trick the system.
In most cases, infection occurs due to a browser vulnerability. The risk zone is all the same “adult” resources. The classic version of infection is an anniversary visitor with a valuable prize. Another traditional way of infection is through programs that masquerade as reputable installers, self-extracting archives, updates — Adobe Flash, etc. The Trojan’s interface is colorful and varied, the masking technique for windows of an anti-virus program is traditionally used, and animation is less commonly used.
Among the general variety of modifications, Trojan.Winlock can be divided into 3 types:
In the latter case, to complete the minimum of simple manipulations needed by an attacker, the user has at his disposal a mouse to enter the code on the digital screen interface.
To ensure distribution and autorun, the Trojan.Winlock family viruses modify the registry keys:
- [... \ Software \ Microsoft \ Windows \ CurrentVersion \ Run] 'svhost' = '% APPDATA% \ svhost \ svhost.exe'
- [... \ Software \ Microsoft \ Windows \ CurrentVersion \ Run] 'winlogon.exe' = '\ winlogon.exe '
In order to make detection in the system more difficult, the virus blocks the display of hidden files, creates and starts execution:
Launches for execution:
Terminates or attempts to terminate the system process:
Makes changes to the file system:
Creates the following files:
Assigns a 'hidden' attribute for files:
Looking for windows:
The prevalence and severity of the problem prompted antivirus software developers to search for effective solutions to the problem. So on the Dr.Web website, the unlocking interface in the form of a window is presented in the public domain , where you need to enter the phone number or electronic wallet used for extortion. Entering the appropriate data in the window (see. Figure below) in the presence of a virus in the database will allow you to get the desired code.
On another page of the site, the authors presented another choice option - a ready-made database of unlock codes for common versions of Trojan.Winlock, classified by image .
A similar code search service is provided by the ESET antivirus studio , which contains a database of almost 400,000 thousand unlock code options and Kaspersky Lab, which offered not only access to the code base, but also its own healing utility - Kaspersky WindowsUnlocker .
Quite often there are situations when, due to virus activity or a system crash, Safe mode with command line support, which allows for the necessary operational manipulations, to be unavailable, and system rollback for some reason also becomes impossible. In such cases, Computer Troubleshooting and Windows Recovery Disc are useless, and you need to use the recovery options from the Live CD.
To resolve the situation, it is recommended to use a specialized healing utility, the image of which will need to be downloaded from a CD or a USB drive. For this, the appropriate boot option must be provided in the BIOS. After the boot disk with the image in the BIOS settings is given the highest priority, the first to boot the CD-ROM or flash drive with the image of the healing utility.
In the general case, it is most often possible to enter BIOS on a laptop using the F2 key, on the PC DEL / DELETE, but the keys and their combinations for entry may differ (F1, F8, less often F10, F12 ..., Ctrl + Esc, Ctrl + Ins, Ctrl + Alt, Ctrl + Alt + Esc, etc.). You can find out the key combination for entering by tracking the text information in the lower left area of the screen in the first seconds of entry. Learn more about the BIOS settings and features of various versions here .
Since only the latest BIOS versions support the mouse operation, you will most likely have to move up and down the menu using the up and down arrows, the + +, -, F5, and F6 buttons.
One of the most popular and simple utilities that effectively copes with ransomware banners - the “banner killer” AntiWinLockerLiveCD has earned its reputation.
The main functions of the program :
Automatic system recovery :
Treatment with the AntiWinLocker LiveCD utility is not a panacea, but one of the easiest and fastest ways to get rid of the virus. The LiveCD distribution, even in its lightweight free Lite version, has all the necessary tools for this - the FreeCommander file manager, which provides access to system files, access to startup files, and registry access.
The program is a real find for novice users, because it allows you to choose the automatic scan and correction mode, during which the virus and the consequences of its activity will be found and neutralized in a few minutes with virtually no user intervention. After rebooting, the machine will be ready to continue to work in normal mode.
The sequence of actions is extremely simple:
Download the AntiWinLockerLiveCD file of the required version to a third-party computer in ISO format, insert the CD-ROM into its drive and then, right-clicking on the file, select “Open with”, then select “Windows Disk Image Burner” - “Burn” and we rewrite the image to a CD-ROM. The boot disk is ready.
For the purity of the experiment, you can tick off all menu items except the last one (restore the boot sector).
Click “Start” / “Start treatment”.
Waiting for verification results. Problem files at its end will be highlighted in red on the screen.
As we expected, the program paid special attention to the search for the virus in the given example to its traditional habitats. The utility recorded changes in the Shell parameters that are responsible for the graphical shell of the OS. After treatment and closing all the windows of the program in the reverse order, clicking the “Exit” button and rebooting, the familiar Windows splash screen regained its usual position. Our problem has been solved successfully.
Among the additional useful tools of the program:
Automatic scanning by the AntiWinLockerLiveCD utility does not always make it possible to detect a blocker.
If automatic cleaning fails, you can always take advantage of the File Manager by checking the paths C: or D: \ Documents and Settings \ Username \ Local Settings \ Temp (For Windows XP) and C: or D: \ Users \ Name User \ AppData \ Local \ Temp (For Windows 7). If the banner is registered at startup, it is possible to analyze the scan results in manual mode, which allows you to disable startup items.
Trojan.Winlock, as a rule, does not dig too deeply, and is fairly predictable. All that is needed to remind him of his place is a couple of good programs and tips, and, of course, prudence in limitless cyberspace.
Purely not where they often clean, but where they do not litter! - True, but in the case of a funny Trojan, as never before! In order to minimize the likelihood of infection, you should adhere to a few simple and quite feasible rules.
Think of a password for the Admin account more complicated, which will not allow a straightforward malware to pick it up using the simplest search method.
In the browser settings, check the option to clear the cache after the session, prohibit the execution of files from temporary folders of the browser, etc.
Always have the LiveCD (FlashUSB) healing disk / flash drive written from a trusted resource (torrent) at hand.
Save the installation disk with Windows and always remember where it is. At the hour “H” from the command line, you can restore vital system files to their original state.
Create a recovery checkpoint at least every two weeks.
Run any dubious software - cracks, keygens, etc., run under a virtual PC (VirtualBox, etc.). This will provide an opportunity to easily repair damaged segments using the virtual PC shell.
Back up to external media regularly. Forbid writing files to dubious programs.
Good luck in your endeavors and only pleasant, and most importantly - safe meetings!
Afterword from the iCover Team
We hope that the information provided in this material will be useful to readers of the iCover blogand will help to cope with the described problem in a matter of minutes without much difficulty. We also hope that in our blog you will find a lot of useful and interesting things, you can get acquainted with the results of unique tests and examinations of the latest gadgets, find answers to the most pressing questions, the solution of which was often required yesterday.).
Do you really have to reinstall the system or pay ransomware? Of course, you can go the simplest way, but isn’t it better to try to cope with an intrusive monster named Trojan.WinLock on our own and with our own resources, especially since you can try to solve the problem quickly and completely free of charge.
Who are we fighting with?
The first ransomware programs intensified in December 1989. Many users then received floppy disks providing information about the AIDS virus. After installing a small program, the system became inoperative. For her resuscitation, users were offered to fork out. The malicious activity of the first SMS-blocker, introducing users to the concept of “blue screen of death” was noted in October 2007.
Trojan.Winlock (Winlocker) is a representative of an extensive family of malicious programs, the installation of which leads to a complete block or significant difficulty in working with the operating system. Using the successful experience of their predecessors and advanced technologies, the developers of winlockers quickly turned a new page in the history of Internet fraud. Most of the virus modifications were received by users in the winter of 2009-2010, when, according to statistics, not one million personal computers and laptops were infected. The second peak of activity occurred in May 2010. Despite the fact that the number of victims of an entire generation of Trojan.Winlock Trojans has recently decreased significantly, and the fathers of the idea have been detained, the problem is still relevant.
The number of different versions of winlockers has exceeded thousands. In earlier versions (Trojan.Winlock 19, etc.), attackers demanded 10 rubles for unlocking access. The absence of any user activity after 2 hours led to the self-removal of the program, which left only unpleasant memories. Over the years, appetites grew, and to unlock the capabilities of Windows in later versions, it was already required 300 - 1000 rubles and higher, the developers modestly forgot about the program self-removal.
As payment options, the user is offered SMS - payment to a short number or an electronic wallet in WebMoney, Yandex Money systems. A factor that “encourages” an inexperienced user to make a payment is the probable viewing of porn sites, the use of unlicensed software ... And to increase efficiency, the ransomware text-message contains threats to destroy data on the user's computer when trying to trick the system.
Trojan.Winlock distribution paths
In most cases, infection occurs due to a browser vulnerability. The risk zone is all the same “adult” resources. The classic version of infection is an anniversary visitor with a valuable prize. Another traditional way of infection is through programs that masquerade as reputable installers, self-extracting archives, updates — Adobe Flash, etc. The Trojan’s interface is colorful and varied, the masking technique for windows of an anti-virus program is traditionally used, and animation is less commonly used.
Among the general variety of modifications, Trojan.Winlock can be divided into 3 types:
- Pornformors or banners that are forced only when the browser window opens.
- Banners that remain on the desktop after closing the browser.
- Banners that appear after loading the Windows desktop and blocking the launch of the task manager, access to the registry editor, loading in safe mode, and in some cases the keyboard.
In the latter case, to complete the minimum of simple manipulations needed by an attacker, the user has at his disposal a mouse to enter the code on the digital screen interface.
Bad habits of Trojan.Winlock
To ensure distribution and autorun, the Trojan.Winlock family viruses modify the registry keys:
- [... \ Software \ Microsoft \ Windows \ CurrentVersion \ Run] 'svhost' = '% APPDATA% \ svhost \ svhost.exe'
- [... \ Software \ Microsoft \ Windows \ CurrentVersion \ Run] 'winlogon.exe' = '
In order to make detection in the system more difficult, the virus blocks the display of hidden files, creates and starts execution:
- % APPDATA% \ svhost \ svhost.exe
Launches for execution:
\ winlogon.exe - % WINDIR% \ explorer.exe
\ cmd.exe / c "" "% TEMP% \ uAJZN.bat" "" \ reg.exe ADD "HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run" / v "svhost" / t REG_SZ / d "% APPDATA% \ svhost \ svhost.exe" / f
Terminates or attempts to terminate the system process:
- % WINDIR% \ Explorer.EXE
Makes changes to the file system:
Creates the following files:
- % APPDATA% \ svhost \ svhost.exe
- % TEMP% \ uAJZN.bat
Assigns a 'hidden' attribute for files:
- % APPDATA% \ svhost \ svhost.exe
Looking for windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'Indicator' WindowName: ''
Treatment. Method 1. Selection of a code combination by payment details or phone number
The prevalence and severity of the problem prompted antivirus software developers to search for effective solutions to the problem. So on the Dr.Web website, the unlocking interface in the form of a window is presented in the public domain , where you need to enter the phone number or electronic wallet used for extortion. Entering the appropriate data in the window (see. Figure below) in the presence of a virus in the database will allow you to get the desired code.
Method 2. Search for the required unlock code by image in the Dr.Web service database
On another page of the site, the authors presented another choice option - a ready-made database of unlock codes for common versions of Trojan.Winlock, classified by image .
A similar code search service is provided by the ESET antivirus studio , which contains a database of almost 400,000 thousand unlock code options and Kaspersky Lab, which offered not only access to the code base, but also its own healing utility - Kaspersky WindowsUnlocker .
Method 3. Utilities - unlockers
Quite often there are situations when, due to virus activity or a system crash, Safe mode with command line support, which allows for the necessary operational manipulations, to be unavailable, and system rollback for some reason also becomes impossible. In such cases, Computer Troubleshooting and Windows Recovery Disc are useless, and you need to use the recovery options from the Live CD.
To resolve the situation, it is recommended to use a specialized healing utility, the image of which will need to be downloaded from a CD or a USB drive. For this, the appropriate boot option must be provided in the BIOS. After the boot disk with the image in the BIOS settings is given the highest priority, the first to boot the CD-ROM or flash drive with the image of the healing utility.
In the general case, it is most often possible to enter BIOS on a laptop using the F2 key, on the PC DEL / DELETE, but the keys and their combinations for entry may differ (F1, F8, less often F10, F12 ..., Ctrl + Esc, Ctrl + Ins, Ctrl + Alt, Ctrl + Alt + Esc, etc.). You can find out the key combination for entering by tracking the text information in the lower left area of the screen in the first seconds of entry. Learn more about the BIOS settings and features of various versions here .
Since only the latest BIOS versions support the mouse operation, you will most likely have to move up and down the menu using the up and down arrows, the + +, -, F5, and F6 buttons.
AntiWinLockerLiveCD
One of the most popular and simple utilities that effectively copes with ransomware banners - the “banner killer” AntiWinLockerLiveCD has earned its reputation.
The main functions of the program :
- Fixing changes to the most important parameters of the Operating System;
- Fixing the presence in the startup area of unsigned files;
- Protection against replacing some system files in WindowsXP userinit.exe, taskmgr.exe;
- Protection against shutdown by viruses Task Manager and Registry Editor;
- Protection of the boot sector from viruses like Trojan.MBR.lock;
- Protection of the area of substitution of the program image for another If the banner does not allow your computer to boot, AntiWinLocker LiveCD / USB will help to remove it in automatic mode and restore normal loading.
Automatic system recovery :
- Restores correct values in all critical areas of the shell;
- Disables unsigned files from startup;
- Eliminates the blocking of the Task Manager and registry editor;
- Clearing all temporary files and executable files from the user profile;
- Elimination of all system debuggers (HiJack);
- Restore HOSTS files to their original state;
- Recovery of system files if it is not signed (Userinit, taskmgr, logonui, ctfmon);
- Move all unsigned jobs (.job) to the AutorunsDisabled folder;
- Delete all Autorun.inf files found on all drives;
- Boot sector recovery (in WinPE).
Treatment with the AntiWinLocker LiveCD utility is not a panacea, but one of the easiest and fastest ways to get rid of the virus. The LiveCD distribution, even in its lightweight free Lite version, has all the necessary tools for this - the FreeCommander file manager, which provides access to system files, access to startup files, and registry access.
The program is a real find for novice users, because it allows you to choose the automatic scan and correction mode, during which the virus and the consequences of its activity will be found and neutralized in a few minutes with virtually no user intervention. After rebooting, the machine will be ready to continue to work in normal mode.
The sequence of actions is extremely simple:
Download the AntiWinLockerLiveCD file of the required version to a third-party computer in ISO format, insert the CD-ROM into its drive and then, right-clicking on the file, select “Open with”, then select “Windows Disk Image Burner” - “Burn” and we rewrite the image to a CD-ROM. The boot disk is ready.
- We place the disk with the image in the drive of a locked PC / laptop with pre-configured BIOS parameters (see above);
- We are waiting for the LiveCD image to load into RAM.
- After starting the program window, select the locked account;
- We select Professional or Lite version for data processing. The free version (Lite) is suitable for almost all tasks;
- After selecting the version, select the disk on which the locked Windows is installed (if it is not automatically selected by the program), the User account used by the OS, and set the search parameters.
For the purity of the experiment, you can tick off all menu items except the last one (restore the boot sector).
Click “Start” / “Start treatment”.
Waiting for verification results. Problem files at its end will be highlighted in red on the screen.
As we expected, the program paid special attention to the search for the virus in the given example to its traditional habitats. The utility recorded changes in the Shell parameters that are responsible for the graphical shell of the OS. After treatment and closing all the windows of the program in the reverse order, clicking the “Exit” button and rebooting, the familiar Windows splash screen regained its usual position. Our problem has been solved successfully.
Among the additional useful tools of the program:
- Registry Editor
- Command line;
- Task Manager;
- Disk utility TestDisk;
- AntiSMS.
Automatic scanning by the AntiWinLockerLiveCD utility does not always make it possible to detect a blocker.
If automatic cleaning fails, you can always take advantage of the File Manager by checking the paths C: or D: \ Documents and Settings \ Username \ Local Settings \ Temp (For Windows XP) and C: or D: \ Users \ Name User \ AppData \ Local \ Temp (For Windows 7). If the banner is registered at startup, it is possible to analyze the scan results in manual mode, which allows you to disable startup items.
Trojan.Winlock, as a rule, does not dig too deeply, and is fairly predictable. All that is needed to remind him of his place is a couple of good programs and tips, and, of course, prudence in limitless cyberspace.
Prevention
Purely not where they often clean, but where they do not litter! - True, but in the case of a funny Trojan, as never before! In order to minimize the likelihood of infection, you should adhere to a few simple and quite feasible rules.
Think of a password for the Admin account more complicated, which will not allow a straightforward malware to pick it up using the simplest search method.
In the browser settings, check the option to clear the cache after the session, prohibit the execution of files from temporary folders of the browser, etc.
Always have the LiveCD (FlashUSB) healing disk / flash drive written from a trusted resource (torrent) at hand.
Save the installation disk with Windows and always remember where it is. At the hour “H” from the command line, you can restore vital system files to their original state.
Create a recovery checkpoint at least every two weeks.
Run any dubious software - cracks, keygens, etc., run under a virtual PC (VirtualBox, etc.). This will provide an opportunity to easily repair damaged segments using the virtual PC shell.
Back up to external media regularly. Forbid writing files to dubious programs.
Good luck in your endeavors and only pleasant, and most importantly - safe meetings!
Afterword from the iCover Team
We hope that the information provided in this material will be useful to readers of the iCover blogand will help to cope with the described problem in a matter of minutes without much difficulty. We also hope that in our blog you will find a lot of useful and interesting things, you can get acquainted with the results of unique tests and examinations of the latest gadgets, find answers to the most pressing questions, the solution of which was often required yesterday.).