Win32/Virlock [Threat Name] go to Threat
Win32/Virlock.A [Threat Variant Name]
Available cleaner [Download Virlock Cleaner ]
Category | virus |
Aliases | Virus.Win32.PolyRansom.a (Kaspersky) |
Virus:Win32/Nabucur.A (Microsoft) |
Short description
Win32/Virlock.A is a polymorphic file infector. After a certain time delay, the virus blocks access to operating system. To regain access to the operating system the user is asked to send information/certain amount of money via the Bitcoin payment service.
Installation
When executed, the virus creates the following files:
- %allusersprofile%\%variable1%\%variable2%
- %allusersprofile%\%variable1%\%variable2%.exe (Win32/Virlock.A)
- %userprofile%\%variable3%\%variable4%
- %userprofile%\%variable3%\%variable4%.exe (Win32/Virlock.A)
A string with variable content is used instead of %variable1-4 .
In order to be executed on every system start, the virus sets the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "%variable2%.exe" = "%allusersprofile%\%variable1%\%variable2%.exe"
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "%variable4%.exe" = "%userprofile%\%variable3%\%variable4%.exe"
File infection
Win32/Virlock.A is a polymorphic file infector.
The virus searches local and network drives for files with one of the following extensions:
- *.exe
- *.doc
- *.xls
- *.zip
- *.rar
- *.ppt
- *.mdb
It avoids files which contain any of the following strings in their path:
- \program
- \Program
- \PROGRAM
- \temp
- \Temp
- \TEMP
- \Windows
- \windows
- \WINDOWS
When the virus finds a file matching the search criteria, it overwrites its content.
The original file is embedded in the newly created file in an encrypted form.
The file name and extension of the newly created file is derived from the original file/folder name.
An additional ".exe" extension is appended.
Payload information
Win32/Virlock.A is a virus that blocks access to the Windows operating system.
To regain access to the operating system the user is asked to send information/certain amount of money via the Bitcoin payment service.
The virus may display the following dialog windows:
Other information
The virus acquires data and commands from a remote computer or the Internet.
The virus contains a list of (3) URLs. The HTTP protocol is used in the communication.