Against the backdrop of the coronavirus pandemic, there is a feeling that an equally large-scale digital epidemic broke out in parallel with it.
Both of these executables are in the Portable Executable format, indicating that they are aimed at Windows. They are also compiled for x86. It is noteworthy that they are very similar to each other, only CoViper is written in Delphi, as evidenced by the compilation date of June 19, 1992 and the names of the sections, and CoronaVirus in C. Both are representatives of ransomware.
Ransomware or ransomware are programs that, when they get on the victim's computer, encrypt user files, disrupt the normal boot process of the operating system, and inform the user that they need to pay the attackers to decrypt it.
After starting the program, they look for user files on the computer and encrypt them. They perform searches using standard API functions, examples of which can be easily found on MSDN
Fig.1 Search for user files
After a while, they restart the computer and display a similar message about the computer being locked.
Fig.2 Blocking message
To disrupt the boot process of the operating system, ransomware uses a simple method of modifying the boot record (MBR)
Fig.3 Modification of the boot record
This method of displaying a computer is used by many other SmartRansom, Maze, ONI Ransomware, Bioskits, MBRlock Ransomware, HDDCryptor Ransomware, RedBoot, UselessDisk ransomware. The implementation of the MBR overwrite is available to the general public with the appearance of the source codes for programs such as MBR Locker on the net. To confirm this on GitHub
Compiling this code from GitHub
It turns out that in order to collect malicious malware, you do not need to have great skills or means, it can be done by anyone and anywhere. The code roams freely on the net and can easily reproduce in such programs. It makes me think. This is a serious problem that requires intervention and action.
Source: habr.com