Full Report
Win32/VirLock is ransomware that locks victims’ screens but also acts as parasitic virus, infecting existing files on their computers. The virus is also polymorphic, which makes it an interesting piece of malware to analyze. This is the first time such combination of malware features has been observed.
Analysis Summary
# Tool/Technique: Win32/VirLock
## Overview
Win32/VirLock is a unique piece of malware that functions both as ransomware (locking the victim's screen and demanding a Bitcoin ransom) and as a parasitic virus. It actively infects existing executable files by prepending its body to them, a feature combination rarely seen, reminiscent of older DOS-era polymorphic viruses.
## Technical Details
- Type: Malware family (Ransomware/Parasitic Virus)
- Platform: Win32 (Windows)
- Capabilities: Full-screen locking, file encryption, parasitic infection of executables, polymorphism, persistence via multiple drops and service registration.
- First Seen: October (specific year not detailed, but context suggests 2014 based on related articles).
## MITRE ATT&CK Mapping
*Note: As this is a specific malware family with custom behavior, direct, precise mappings are inferred based on the described capabilities.*
- **TA0003 - Persistence**
- T1547 - Boot or Logon Autostart Execution
- T1547.001 - Registry Run Keys / Startup Folder
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1027.002 - Compiler or Interpreter Effects (due to polymorphism)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol (Implied, for potential C2 or payment instruction delivery)
- **TA0012 - Impact**
- T1486 - Data Encrypted for Impact
- T1490 - Inhibit System Recovery (via screen lock and process termination)
## Functionality
### Core Capabilities
- **Screen Locking:** Displays a full-screen ransom notification, blocking simple methods of closing it. It implements protective measures to shut down `explorer.exe` and Task Manager.
- **Parasitic Infection:** Locates host files (targeting executables and many other file types including documents, archives, and media) and embeds its body into them. If the host is not a PE file, it appends the infected code and renames the file to have a `.exe` extension, using the original file's icon.
- **Persistence:** Drops two unique, randomly named instances of itself into `%userprofile%` and `%allusersprofile%` directories, adding entries to both HKCU and HKLM Run registry keys. Newer variants drop a third instance registered as a service for self-defense against termination.
### Advanced Features
- **Polymorphism:** The malware is highly polymorphic. Each dropped instance is unique, and the infection process involves complex re-encryption layers (encrypting Part 2, the host file, Part 1, and generating a random XOR stub) for every new infected file, making signature updates difficult.
- **Localization:** The lock screen performs basic localization by checking the redirection of `google.com` and the return value of the Windows API function `GetUserGeoID`.
- **Host Decryption:** Upon execution of an infected file, the malware decrypts and executes the original host file from within its body, setting it apart from typical filecoders.
- **Limited Utility:** The lock screen surprisingly allows victims to open an Internet browser and Notepad.
## Indicators of Compromise
- File Hashes: [Not specified in the text]
- File Names: Instances dropped in persistence locations have randomly generated names.
- Registry Keys: Entries added under `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` and `HKLM\Software\Microsoft\Windows\CurrentVersion\Run`.
- Network Indicators: Checks connection to various regional Google domains (`google.com.au`, `google.ca`, `google.co.uk`, `google.co.nz`) for localization purposes.
- Behavioral Indicators: Modification of PE files by prepending executable content; termination attempts against `explorer.exe` and Task Manager; crawling local/removable drives and network shares for files with specific extensions (\*.exe, \*.doc, \*.xls, \*.pdf, \*.zip, \*.rar, etc.).
## Associated Threat Actors
- [Not specified in the text, attributed to an unknown malware author.]
## Detection Methods
- Signature-based detection: Possible against the known body or structure, though challenged by polymorphism.
- Behavioral detection: Detecting the pattern of process termination (`explorer.exe`, Task Manager) combined with file modification (especially renaming non-executables to `.exe`) and writing to Run keys.
- YARA rules: [Not specified in the text]
## Mitigation Strategies
- Prevention measures: Standard anti-virus protection, though polymorphism requires heuristic/behavioral detection capabilities.
- Hardening recommendations: Implementing application allow-listing, strict permission controls on executable paths, and limiting user permissions to prevent service creation and registry modifications.
## Related Tools/Techniques
- TorrentLocker (Mentioned as a comparison point for widespread ransomware)
- Cryptolocker (Mentioned as a common Filecoder example)
- Android/Simplocker (Mentioned as a hybrid ransomware example)
- DOS-era polymorphic viruses (e.g., Whale virus)