Home Malware Programs Ransomware VirLock Ransomware

VirLock Ransomware

Posted: December 10, 2014

Threat Metric

Ranking: 17,116
Threat Level: 10/10
Infected PCs: 363
First Seen: December 10, 2014
Last Seen: August 26, 2023
OS(es) Affected: Windows

VirLock Ransomware Screenshot 1The VirLock Ransomware is a virus that unlawfully restricts your access to arbitrary files to force you to pay a ransom fee. Although the VirLock Ransomware displays messages claiming that this attack is part of a legal effort to suppress software piracy, the VirLock Ransomware is unrelated to any law enforcement agency of any nation. Like any virus, the VirLock Ransomware should be regarded as threatening software. Making regular backups and having anti-malware software available, removing the VirLock Ransomware and other threats with a propensity for locking your files shouldn't require paying any illegal fees.

Why Your Files are a Matter of 'National Security'

The VirLock Ransomware is a recent variant of ransomware only confirmed in the last month of 2014, although the techniques the VirLock Ransomware uses are heavily reminiscent of old threats like the International Cyber Security Protection Alliance Virus. While blocking your access to randomly-determined files on your PC, the VirLock Ransomware loads a JPG-based warning message that threatens legal action against any computer users who fail to pay the file-unlocking fine. Malware experts still are examining the full extent of the VirLock Ransomware's attacks. However, due to being a virus, the VirLock Ransomware infects files on your PC with its personal code. This attack diverges from traditional ransomware payloads, which include deleting, replacing or encrypting the victim's data. As a result, trying to launch any infected file will execute the VirLock Ransomware.

Oddly, the VirLock Ransomware's warning message includes an option for paying your fee at a local courthouse, seemingly as a ploy to make the VirLock Ransomware's alert appear legitimate. Despite its warning claiming affiliation with a non-specific 'National Security Bureau (which could refer to China or Slovakia, for example), the VirLock Ransomware is not supported by any legal institution. The first option for a ransom payment uses a BitCoin-based fund transfer, which is typical for the cash transactions of threatening software.

VirLock Ransomware's warning message includes formats targeting English speakers, although its legal references aren't oriented to any individual nation. As usual, the VirLock Ransomware claims that the victim is operating under a theoretical time limit before other penalties are implemented (such as jail time). Also as usual, malware researchers find no evidence of the VirLock Ransomware including other, time-based attacks to supplement the baseline file infections.

Unlocking Your Files from a Virus's Tampering

Although its inclusion of a virus-based file infection strategy is mildly unusual, the VirLock Ransomware also shows signs of being a shallowly-designed strategy with a visible lack of the intricacies of prior threats. As a rule, you always should regard suspicious legal messages claiming to block files on your PC at random as attacks against your system. Telltale signs of ransomware messages can include failures to provide appropriate references or attempts to extort money. As per usual virus removal protocols, all potentially infected files should be scanned by AV tools that can delete VirLock Ransomware without harming the original file data. Alternately, you may use your security software to remove all infected files and restore previous copies from any uninfected backup sources.

Malware researchers have yet to confirm any distribution models for the VirLock Ransomware, but common techniques associated with ransomware include browser-based attacks, fake e-mail attachments and vulnerabilities for Flash or JavaScript. Because of its virus classification, VirLock Ransomware should be assumed to be capable of compromising other files on both your PC and any removable devices and containing the VirLock Ransomware should be a priority for any computer user.

Aliases

Trojan-FFGO!8803D517AC24 [McAfee]Trojan-Downloader.Win32.Geral.bgab [Kaspersky]Trojan-FFGO!0522C889F96C [McAfee]Trojan/Win32.Katusha [AhnLab-V3]BehavesLike.Win32.PWSZbot.cc [McAfee-GW-Edition]Trojan-Downloader.Win32.Geral.bdem [Kaspersky]Trojan-Downloader.Win32.Geral.bhyq [Kaspersky]Trojan-FFGO!9C7A6F0BC3A9 [McAfee]TrojanDownloader.Geral.r1 (Not a Virus) [CAT-QuickHeal]Trojan/Win32.Agent [AhnLab-V3]Virus:Win32/Nabucur.gen!A [Microsoft]Trojan[Dropper]/Win32.Demp [Antiy-AVL]W32/S-7136ec3b!Eldorado [F-Prot]BehavesLike.Win32.IRCBot.dc [McAfee-GW-Edition]Trojan-Dropper.Win32.Demp.afwh [Kaspersky]
More aliases (88)

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



%USERPROFILE%\nWUwAokA\tEwkkIIo.exe File name: tEwkkIIo.exe
Size: 1.78 MB (1780736 bytes)
MD5: afc7afad43c58d1697d79ffc46a2e36b
Detection count: 94
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\nWUwAokA
Group: Malware file
Last Updated: July 18, 2016
%USERPROFILE%\nWUwAokA\tEwkkIIo.exe File name: tEwkkIIo.exe
Size: 198.14 KB (198144 bytes)
MD5: 79735a9a073e1378b49d718984f1517e
Detection count: 94
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\nWUwAokA
Group: Malware file
Last Updated: July 18, 2016
%USERPROFILE%\nWUwAokA\tEwkkIIo.exe File name: tEwkkIIo.exe
Size: 1.7 MB (1700352 bytes)
MD5: ad0b79598830142310ea1bfec614cc2f
Detection count: 93
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\nWUwAokA
Group: Malware file
Last Updated: July 18, 2016
%ALLUSERSPROFILE%\mcMUcIAk\TOgggoow.exe File name: TOgggoow.exe
Size: 198.65 KB (198656 bytes)
MD5: 1ec6d6e9c339201a74beefb31077ddc1
Detection count: 92
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\mcMUcIAk
Group: Malware file
Last Updated: July 18, 2016
file.exe File name: file.exe
Size: 500.22 KB (500224 bytes)
MD5: dad7cc2d6e75084f4be64b4210ef1a8a
Detection count: 83
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: November 17, 2016
%ALLUSERSPROFILE%\mcMUcIAk\TOgggoow.exe File name: TOgggoow.exe
Size: 197.12 KB (197120 bytes)
MD5: 161ffeaebc823c72c65b0f10a268e399
Detection count: 76
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\mcMUcIAk
Group: Malware file
Last Updated: July 18, 2016
%USERPROFILE%\nWUwAokA\tEwkkIIo.exe File name: tEwkkIIo.exe
Size: 1.83 MB (1830400 bytes)
MD5: d4c70ce329a76fac168a8124f4cc6812
Detection count: 63
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\nWUwAokA
Group: Malware file
Last Updated: July 18, 2016
%ALLUSERSPROFILE%\mcMUcIAk\TOgggoow.exe File name: TOgggoow.exe
Size: 1.83 MB (1830912 bytes)
MD5: 88a84f378a69e78ca1c31169c935acbf
Detection count: 62
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\mcMUcIAk
Group: Malware file
Last Updated: July 18, 2016
File.exe File name: File.exe
Size: 567.8 KB (567808 bytes)
MD5: b256530bd715266482ccc9af0f3e511d
Detection count: 46
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: January 14, 2017
%ALLUSERSPROFILE%\mcMUcIAk\TOgggoow.exe File name: TOgggoow.exe
Size: 200.7 KB (200704 bytes)
MD5: 2621ad3590f078b860e484bcf786a06c
Detection count: 36
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\mcMUcIAk
Group: Malware file
Last Updated: July 18, 2016
%ALLUSERSPROFILE%\mcMUcIAk\TOgggoow.exe File name: TOgggoow.exe
Size: 206.84 KB (206848 bytes)
MD5: ed5351ebb5534933c175d1ad2e32fe47
Detection count: 16
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\mcMUcIAk
Group: Malware file
Last Updated: July 18, 2016
%USERPROFILE%\nWUwAokA\tEwkkIIo.exe File name: tEwkkIIo.exe
Size: 200.7 KB (200704 bytes)
MD5: 3d20694b56806b43429f39647f514f7a
Detection count: 15
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\nWUwAokA
Group: Malware file
Last Updated: July 18, 2016
%ALLUSERSPROFILE%\mcMUcIAk\TOgggoow.exe File name: TOgggoow.exe
Size: 182.27 KB (182272 bytes)
MD5: 283ccd93d21abbbac713f6edf98f24fe
Detection count: 15
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\mcMUcIAk
Group: Malware file
Last Updated: July 18, 2016
%USERPROFILE%\nWUwAokA\tEwkkIIo.exe File name: tEwkkIIo.exe
Size: 198.14 KB (198144 bytes)
MD5: 51e9a6c434a0b34ffb27ffa0204f8a08
Detection count: 14
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\nWUwAokA
Group: Malware file
Last Updated: July 18, 2016
%USERPROFILE%\nWUwAokA\tEwkkIIo.exe File name: tEwkkIIo.exe
Size: 1.83 MB (1831936 bytes)
MD5: 5492a6daed9cb8e8af3e8c7b68eebd44
Detection count: 13
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\nWUwAokA
Group: Malware file
Last Updated: July 18, 2016
%ALLUSERSPROFILE%\mcMUcIAk\TOgggoow.exe File name: TOgggoow.exe
Size: 1.83 MB (1831424 bytes)
MD5: fa0df0dd3b38d5b615804b7f2798bd75
Detection count: 12
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\mcMUcIAk
Group: Malware file
Last Updated: July 18, 2016
C:\Users\<username>\Desktop\New folder\file.exe File name: file.exe
Size: 2.21 MB (2215936 bytes)
MD5: 62feaf87ce183b1a900471cc50aaedb4
Detection count: 9
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\Desktop\New folder
Group: Malware file
Last Updated: February 18, 2022
%USERPROFILE%\nWUwAokA\tEwkkIIo.exe File name: tEwkkIIo.exe
Size: 201.21 KB (201216 bytes)
MD5: 4a9b4f250105fc5399f7592ce7451e67
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\nWUwAokA
Group: Malware file
Last Updated: July 18, 2016
%USERPROFILE%\nWUwAokA\tEwkkIIo.exe File name: tEwkkIIo.exe
Size: 200.19 KB (200192 bytes)
MD5: 66197f7baf42db37f35074bbad0c13ea
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\nWUwAokA
Group: Malware file
Last Updated: July 18, 2016
%ALLUSERSPROFILE%\JEUEoUgo\ECEkMkMk.exe File name: ECEkMkMk.exe
Size: 2.03 MB (2030592 bytes)
MD5: fae49fe8f00dbea695c0279538606ee1
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\JEUEoUgo
Group: Malware file
Last Updated: July 22, 2016
%ALLUSERSPROFILE%\iCskEgwM\DUokEEgU.exe File name: DUokEEgU.exe
Size: 2.09 MB (2096128 bytes)
MD5: 623ee7285d0c215de78cec880e30eb33
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\iCskEgwM
Group: Malware file
Last Updated: July 22, 2016
%APPDATA%\DarkEye2.exe File name: DarkEye2.exe
Size: 2.67 MB (2679808 bytes)
MD5: 04963b5d27d46e01b9ca833afb6f682d
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: May 2, 2016

More files

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\..\..{RegistryKeys}SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gsQoAIAM.exeSOFTWARE\Microsoft\Windows\CurrentVersion\Run\NmYcsoAc.exeSOFTWARE\Microsoft\Windows\CurrentVersion\Run\PywYQwIg.exeSOFTWARE\Microsoft\Windows\CurrentVersion\Run\qEoYgUIU.exeSOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gsQoAIAM.exeSOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NmYcsoAc.exeSOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qEoYgUIU.exe

Additional Information

The following directories were created:
%ALLUSERSPROFILE%\dekAoYQc%ALLUSERSPROFILE%\dqcMAIgw%ALLUSERSPROFILE%\pCUcwEQc%USERPROFILE%\cQkcgwQg
The following messages's were detected:
# Message
1NATIONAL SECURITY BUREAU Your computer was automatically blocked. Reason: Pirated software found on this computer. Your computer is now blocked. 7 files have been temporarily blocked on your computer. To regain computer access and restore files you are required to pay a 250 USD Blocked files will be permanently removed from your computer if the fine is not paid. The NSB has two ways to pay a fine: 1.You can pay your fine online through BitCoin. BitCoin is available nationwide. Click the tabs below to find the nearest vendor. Your computer will be unlocked after you make your payment Your computer will be unlocked within 4-5 working days. To regain access transfer bitcoins to the following address (click to copy): 198tX7NmLg6o8qcTT2Uv9cSBVzN3oEozpv After the payment is finalized enter Transfer ID below. Amount: Transfer ID: BTC 0.652 PAY FINE If the fine is not paid, a warrant will be issues for your arrest, Which will be forwarded to your local authorities. You will be charged, fined, convicted for up to 5 years. Payment

Related Posts

Loading...