A new Screenlocker / Stalker under development called StalinLocker or StalinScreamer was discovered by MalwareHunterTeam, giving you 10 minutes to enter a code or trying to erase the contents of the drives on the computer. During the run, a screen is displayed showing Stalin playing the anthem of the USSR and displaying a countdown until files are deleted.
StalinLocker performs the following actions when executed:
- Extract the file "USSR_Anthem.mp3" into the folder% UserProfile% AppData Local and play it off. This anthem is the same as in this YouTube video but of much poorer quality.
- It copies itself to% UserProfile% AppData Local stalin.exe and creates an autorun called "Stalin" This launches the screenlocker / wiper when the user logs on to the computer.
- It creates% UserProfile% AppData Local fl.dat and writes the current number of remaining seconds divided by 3. Each time you start the command program, the countdown is much lower
- Trying to process other than Skype or Discord terminate
- Terminate Explorer.exe and taskmgr.exe
- Tried to launch a scheduled task called "Driver Update" to start Stalin .exe. This part of the code is currently throwing bugs.
StalinLocker then displays the above lock screen, which contains a 10 minute countdown until your files are deleted or you enter a code. According to to MalwareHunterTeam this code is derived by subtracting the current date of execution of the program until the date 1922.12.30. When the user enters the correct code, the wiper is terminated and the autorun is deleted.
If, on the other hand, the code is not entered at the time the countdown reaches zero, the screen lock attempts to clear all files on each drive letter on the computer. This will scan all drive letters from A to Z, and delete all drives accessible as shown below.
This wiper is currently under development, but could easily be put into a working state. Luckily, most security vendors recognize this either through definitions or heuristics, so make sure you have an anti-virus program installed and updated to the latest definitions.
SHA256: 853177d9a42fab0d8d62a190894de5c27ec203240df0d9e70154a675823adf04  Related files:
% UserProfile% AppData Local fl.dat % Userprofile% AppData Local stalin.exe % UserProfile% AppData Local USSR_Anthem.mp3
Mapped registry entries:
HKLM SOFTWARE Microsoft Windows CurrentVersion Run Stalin% UserProfile% AppData Local stalin.exe
SOURCES: TECHCRUNCH.COM GSMARENA.COM MACRUMORS.COM FIRSTPOST.COM ANDROIDCENTRAL.COM PHANDROID.COM TECHSPOT.COM
DROID-LIFE.COM ENGADGET.COM ANDROIDPOLICE.COM