{
	"id": "47294c91-c08b-4a24-8dfc-f9cfc357a5fd",
	"created_at": "2026-04-06T00:14:48.047408Z",
	"updated_at": "2026-04-10T13:12:12.313651Z",
	"deleted_at": null,
	"sha1_hash": "a6b336ed21a7fb3868a23fa0469028628ca91b88",
	"title": "Virlock: First Self-Reproducing Ransomware is also a Shape Shifter",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1413902,
	"plain_text": "Virlock: First Self-Reproducing Ransomware is also a Shape\r\nShifter\r\nBy Robert Lipovsky\r\nArchived: 2026-04-05 20:55:01 UTC\r\nWin32/VirLock is ransomware that locks victims’ screens but also acts as parasitic virus, infecting existing files\r\non their computers. The virus is also polymorphic, which makes it an interesting piece of malware to analyze.\r\nThis is the first time such combination of malware features has been observed.\r\nNOTE: Victims can restore their VirLock-infected files using our standalone cleaner, available for download.\r\nFollowing the release of ESET's detailed white-paper covering our research into the TorrentLocker ransomware,\r\nwe can now shed some light on a curious new member of the malware family extorting payments from infected\r\nusers.\r\nIn most cases, ransomware is either of the ‘LockScreen’ type or the ‘Filecoder’ type. When a typical Filecoder\r\nencrypts files on the victim’s hard drive it usually doesn’t lock the screen, or otherwise prevent the victim to use\r\ntheir computer. The ransom notification can be displayed in several ways, such as displaying on the desktop\r\nwallpaper, by opening a text file, or – most commonly – inside a regular window (this was also the method used\r\nby Cryptolocker).\r\nIn some cases, ransomware takes a hybrid approach by both encrypting files and locking the screen by displaying\r\na full screen message and blocking simple methods of closing it. An example of this behavior is\r\nAndroid/Simplocker – the first filecoder for Android.\r\nIn October we discovered a new, previously unseen approach – Win32/VirLock is ransomware that locks the\r\nscreen and then not only encrypts existing files, but also infects them by prepending its body to executable files –\r\nthus acting as a parasitic virus. Sophos has also written about this interesting piece of malware on their blog.\r\nWe have observed a number of variants of the virus last month. This shows that the malware author has been\r\nkeeping himself busy working on their creation. In fact, the virus looks somewhat like a malicious experiment and\r\ndue to its polymorphic nature reminds us of viruses from the DOS era, such as the Whale virus. The way VirLock\r\nis implemented demonstrates a high level of programming skills, yet some of its functionality seems to be lacking\r\nlogic, which is somewhat puzzling.\r\nIn this blog post we give a general overview of the virus behavior and explain what makes it polymorphic.\r\nWin32/VirLock overview\r\nA file infected with VirLock will be embedded into a Win32 PE file and the .exe extension appended to its name,\r\nunless it was already an executable file. When it is executed, it decrypts the original file from within its body,\r\nhttps://www.welivesecurity.com/2014/12/22/win32virlock-first-self-reproducing-ransomware-also-shape-shifter/\r\nPage 1 of 10\n\ndrops it to the current directory and opens it. The decryption methods are described later in the article. This\r\nbehavior clearly sets it apart from typical filecoders.\r\nVirLock then installs itself by dropping two randomly named instances of itself (not copies – the virus is\r\npolymorphic, so every instance is unique) into the %userprofile% and %allusersprofile% directories and adds\r\nentries in the Run registry keys under HKCU and HKLM so that they are launched when Windows boots up.\r\nThese instances, which only contain the virus body without a host file to decrypt, are then launched. More recent\r\nvariants of VirLock also drop a third instance that is registered as a service. This approach serves as a simple self-defense mechanism for the malware – processes and files get restored when they’re terminated or deleted.\r\nThe dropped instances are responsible for executing the actual malicious payloads.\r\nOne thread takes care of the infection of files. Win32/VirLock looks for host files by crawling through local and\r\nremovable drives, and even network shares, to maximize its spreading potential. The file extensions intended to be\r\ninfected differ between VirLock versions. An extension list from a recent sample contains the following: *.exe,\r\n*.doc, *.xls, *.zip, *.rar, *.pdf, *.ppt, *.mdb, *.mp3, *.mpg, *.png, *.gif, *.bmp, *.p12, *.cer, *.psd, *.crt, *.pem,\r\n*.pfx, *.p12, *.p7b, *.wma, *.jpg, *.jpeg.\r\nAnother thread contains the lockscreen functionality – with typical protective measures like shutting down\r\nexplorer.exe, the Task Manager, and so on – and displays the following ransom screen.\r\nThe ransom message is self-explanatory, so we will only cover the unique aspects. The screenshot above is from\r\nan earlier version, whereas the ones below are from a more recent one. The ransom is expected in Bitcoin and the\r\nmalware author also gives clear instructions to victims who may not be familiar with the cryptocurrency. The\r\nlockscreen even allows victims to use an Internet browser and Notepad.\r\nhttps://www.welivesecurity.com/2014/12/22/win32virlock-first-self-reproducing-ransomware-also-shape-shifter/\r\nPage 2 of 10\n\nhttps://www.welivesecurity.com/2014/12/22/win32virlock-first-self-reproducing-ransomware-also-shape-shifter/\r\nPage 3 of 10\n\nhttps://www.welivesecurity.com/2014/12/22/win32virlock-first-self-reproducing-ransomware-also-shape-shifter/\r\nPage 4 of 10\n\nThe screen locker is able to do some basic localization based on whether a connection attempt to google.com was\r\nredirected to either google.com.au, google.ca, google.co.uk, or google.co.nz and return value of the\r\nGetUserGeoID function. For those selected countries a different flag, Bitcoin exchanges and displayed currency\r\nwill be shown. Even the ransom amount appears to be variable: either 150 USD or 250 USD / GBP / EUR / NZD\r\n/ CAD / AUD.\r\nhttps://www.welivesecurity.com/2014/12/22/win32virlock-first-self-reproducing-ransomware-also-shape-shifter/\r\nPage 5 of 10\n\nVirLock polymorphism\r\nFrom a technical point of view, probably the most interesting part about this malware is that the virus is\r\npolymorphic, meaning its body will be different for each infected host and also each time it’s executed. But before\r\nwe explain how the code changes, we must take a look at the multiple layers of encryption it uses.\r\nhttps://www.welivesecurity.com/2014/12/22/win32virlock-first-self-reproducing-ransomware-also-shape-shifter/\r\nPage 6 of 10\n\nA simplified execution flow of earlier variants of Win32/VirLock is shown in the following infographic:\r\nWhen a Win32/VirLock binary is loaded into memory, the only unencrypted code is something we’ll call a XOR\r\nstub builder; all other code, data and the original file (if present – the same scheme applies to “stand-alone”\r\nVirLock instances) are encrypted.\r\nThe following description of the XOR stub builder applies to older variants of Win32/VirLock. Newer variants\r\nemploy a slightly more complex mechanism. The builder contains eight similar blocks like the one in the example\r\ncode snippet below.\r\nhttps://www.welivesecurity.com/2014/12/22/win32virlock-first-self-reproducing-ransomware-also-shape-shifter/\r\nPage 7 of 10\n\nEach block consists of a specific calculated DWORD being written to a specific memory offset. The registers,\r\noperations (additions and subtractions) and constants are generated at random but produce the same desired\r\noutput. Each of these blocks generates 4-bytes of the XOR stub that is exactly 32-bytes of assembly code. This\r\nstub is the next stage in Win32/VirLock’s execution.\r\nThe XOR stub, as its name implies, will decrypt a smaller part (Part 1) of the actual VirLock code that consists of\r\nseveral functions. In the example below, the XOR key used is 0x6B130E06 and the size of Part 1’s is 0x45C.\r\nhttps://www.welivesecurity.com/2014/12/22/win32virlock-first-self-reproducing-ransomware-also-shape-shifter/\r\nPage 8 of 10\n\nThe rest of the code (Part 2), as well as the contained original file, remain encrypted at this point.\r\nAn interesting feature of Win32/VirLock is that the body of (nearly) every single one of its functions is also\r\nencrypted and contains a decryption stub at the beginning. This complicates analysis of the malware, as none of\r\nthe functions’ relevant code is visible in a disassembler. The function encryption is again simple – a checksum\r\nfrom the decryption stub is calculated used as the XOR key to the function’s body.\r\nTo make things more fun, after the function’s execution, its body will be encrypted again. The key will be\r\ndifferent, however: as shown in the code snippet below, a few garbage instructions within the decryption stub are\r\nXORed with a random number (from RDTSC), thus effectively changing the checksum that’s used as the key.\r\nThis is the first part of VirLock’s polymorphism – as it executes, its functions are effectively changing in memory\r\nas they decrypt and re-encrypt themselves. And the memory ‘snapshot’ modified this way contributes (more\r\npolymorphic levels to follow J) to the virus’s uniqueness in each infected file.\r\nThe code that makes up Part 1 also contains another decryption function that’s used to decrypt Part 2 and the\r\nembedded host file. This third type of decryption is only slightly more complex than the previous ones in that it\r\nuses ROR in addition to XOR. The decryption keys for the embedded file and for Part 2 are hard-coded.\r\nTo summarize, we have encryption at three levels:\r\nPart 1 of the code is decrypted by the XOR stub in the beginning\r\nPart 2 of the code is decrypted by a function within Part 1\r\nNearly all functions within the virus code (both Part 1 and Part 2) have their bodies encrypted. They are\r\ndecrypted as they execute and are re-encrypted afterwards\r\nSo how exactly is the code polymorphic? At one point in the malware’s execution after Part 1 and Part 2 have\r\nbeen decrypted, it copies its whole body into a block of allocated memory. Remember: the functions that have\r\nexecuted before this in-memory copy was created have been re-encrypted with a different key. This copy will be\r\nused to infect the other files, with the following modifications for each one of them.\r\nWorking backwards through the individual layers, the copy is encrypted again. First, Part 2 and the host file being\r\ninfected are encrypted using randomly generated keys. The encrypted host file is appended to the in-memory copy\r\nand the new encryption keys, memory addresses and offsets are written to the Part 1 code, so that it will be able to\r\nextract Part 2 and the original file when the new sample is run.\r\nhttps://www.welivesecurity.com/2014/12/22/win32virlock-first-self-reproducing-ransomware-also-shape-shifter/\r\nPage 9 of 10\n\nThen the modified Part 1 is encrypted with XOR with a randomly generated DWORD, which gets written to the\r\nXOR stub in the beginning.\r\nFinally, the XOR stub builder is constructed randomly as described above and the XOR stub is overwritten with\r\ngarbage bytes.\r\nAfter all these steps, we end up with an encrypted copy of the virus in memory with the original file embedded.\r\nThis is then written to the hard drive in place of the original file. If the original document was not an executable\r\n(.exe) Win32 PE file, the „.exe“ extension will be appended to the filename after the original extension and the\r\noriginal file will be deleted. The newly created infected file will also have the icon of the original host.\r\nConclusion\r\nESET's LiveGrid® telemetry shows that the number of victims of this new virus is relatively low and that for now\r\nthe scale of this threat is nothing like that of TorrentLocker or other widespread ransomware. Nevertheless,\r\nlooking at the transactions associated with the Bitcoin addresses used by the malware reveals that some victims of\r\nthis fraud have already paid up. We will continue monitoring the evolution of this new ransomware strain.\r\nWhat makes this ransomware stand out, however, is the fact that it is a functional polymorphic parasitic virus. Our\r\nanalysis of the code has shown that the malware author has truly played around with this venerable means of\r\nwriting computer virus code.\r\nSource: https://www.welivesecurity.com/2014/12/22/win32virlock-first-self-reproducing-ransomware-also-shape-shifter/\r\nhttps://www.welivesecurity.com/2014/12/22/win32virlock-first-self-reproducing-ransomware-also-shape-shifter/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.welivesecurity.com/2014/12/22/win32virlock-first-self-reproducing-ransomware-also-shape-shifter/"
	],
	"report_names": [
		"win32virlock-first-self-reproducing-ransomware-also-shape-shifter"
	],
	"threat_actors": [],
	"ts_created_at": 1775434488,
	"ts_updated_at": 1775826732,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a6b336ed21a7fb3868a23fa0469028628ca91b88.pdf",
		"text": "https://archive.orkl.eu/a6b336ed21a7fb3868a23fa0469028628ca91b88.txt",
		"img": "https://archive.orkl.eu/a6b336ed21a7fb3868a23fa0469028628ca91b88.jpg"
	}
}