Win32/Virlock [Threat Name]

Detection created2014-11-21
World activity peak 2015-03-06 (0.01 %)
Short description

Win32/Virlock is a polymorphic file infector. After a certain time delay, the virus blocks access to operating system. To regain access to the operating system the user is asked to send information/certain amount of money via the Bitcoin payment service.

Installation

When executed, the virus creates the following files:

  • %allusersprofile%\­%variable1%\­%variable2%
  • %allusersprofile%\­%variable1%\­%variable2%.exe (Win32/Virlock)
  • %userprofile%\­%variable3%\­%variable4%
  • %userprofile%\­%variable3%\­%variable4%.exe (Win32/Virlock)

In order to be executed on every system start, the virus sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable2%.exe" = "%allusersprofile%\­%variable1%\­%variable2%.exe"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable4%.exe" = "%userprofile%\­%variable3%\­%variable4%.exe"

A string with variable content is used instead of %variable1-4% .

File infection

Win32/Virlock is a polymorphic file infector.


The virus searches fixed and network drives for files to infect.


It avoids files which contain any of the following strings in their path:

  • \­program
  • \­Program
  • \­PROGRAM
  • \­temp
  • \­Temp
  • \­TEMP
  • \­Windows
  • \­windows
  • \­WINDOWS

When the virus finds a file matching the search criteria, it overwrites its content.


The original file is embedded in the newly created file in an encrypted form.


The file name and extension of the newly created file is derived from the original file/folder name.


An additional ".exe" extension is appended.

Payload information

Win32/Virlock is a virus that blocks access to the Windows operating system.


To regain access to the operating system the user is asked to send information/certain amount of money via the Bitcoin payment service.

Other information

The virus acquires data and commands from a remote computer or the Internet.


The virus contains a list of URLs. The HTTP protocol is used in the communication.

Threat Variants with Description

Threat Variant Name Date Added Threat Type
Win32/Virlock.J 2015-02-24 virus
Win32/Virlock 2014-11-21 virus
Win32/Virlock.C 2014-11-21 virus
Win32/Virlock.A 2014-11-21 virus

Please enable Javascript to ensure correct displaying of this content and refresh this page.