FANDOM


Vigra, also called "Viagra", is a ransomware for Microsoft Windows, written in C#. It's a variant \ script kiddie edit of the Viata ransomware, created earlier as experimental / educational ransomware by Black Hat, with only minimal differences. Has similarities with the Spora ransomware.

It ended on Trend Micro encyclopedia.[1]

Payload

Vigra is a 76 KB MSIL executable. It's a edit made in Visual Studio, it was created originally in SharpDevelop. It is located in: "X:\2010\Viagra\dotnetfx35setup\obj\x86\Debug\dotnetfx35setup.pdb". Unlike Viata, Vigra needs .NET 4.0 to run (Viata requires just the default Windows 7 .NET 3.5). Both hide themselves as fake Microsoft 3.5 .NET setup. When it's started as Administrator, Viata will compute an AES-256 key using a CSPRNG ("RNGCryptoServiceProvider"), will istance AES-256 in CFB mode, import a RSA-4096 key (that wasn't touched in both Viata and Vigra / Viagra). At this point, the ransomware will compute the current date, will turn the key into a Base64 string, and encrypt both with the RSA key, making the ID.

At this point, Vigra will show a messagebox ("fuck", with the application full path as title, when in the original Viata was a fake error), will scan for every disk, and will query the existence of the folder "Users" and the folder "xampp" there. If they exist, the ransomware will start a recursive function, that will encrypt files. When a file it's encrypted, a new IV for AES-256 is calculated; the file is loaded in memory, encrypted and re-written back to disk. Then, the original file is moved, and the Base64 of the IV is appended to it, with the extension ".vigra" (originally was ".viata"). The number of extensions that the ransomware will encrypt are bigger in Vigra \ Viagra:

.$$$, .3dm, .3g2, .3ds, .3gp, .602, .apk, .asm, .arj, .au3, .avi, .band, .bik, .bat, .bin, .bit,.bmp, .bkp, .cad, .ccp4, .cdf, .cdr, .cer, .cfg, .cfm, .cgi, .class, .com, .conf, .cpp, .cps, .css, .csv, .dbg, .deb, .djvu, .doc, .dotm, .docm, .docx, .dot, .elf, .eml, .eossa, .erf, .eps, .fds, .flac, .gbc, .gadget, .gba, .gif, .gml, .gsm, .hpp, .html, .htm, .ico, .ihtml, .ini, .jar, .java, .jpg, .jsp, .jtd, .jpeg, .jtt, .key, .lip, .lua, .m4a, .mcpack, .maf, .mctemplate, .mkv, .mmp, .mp3, .mmpz, .mov, .mp2, .mpa, .mpp, .myd, .navpath, .ncf, .nfo, .nokogiri, .nrg, .nsh, .nth, .nvram, .oa2, .oa3, .obj, .obt, .obx, .obz, .ocr, .oda, .odb, .odf, .odg, .odif, .odl, .odo, .ogg, .opus, .osd, .osf, .osr, .osu, .p01, .p10, .p12, .p7b, .p7c, .pak, .pcd, .pdb, .pdc, .pdf, .peb, .pef, .pfx, .php, .pk3, .pkg, .ply, .png, .ppt, .pptm, .pptx, .prc, .ppx, .proofingtool, .prz, .ps1, .ps1xml, .pub, .pubx, .pyc, .pys, .qbm, .qbx, .r00, .rar, .rdb, .reg, .rss, .rtf, .rwlibrary, .sam, .sas7bdat, .sav, .sheet, .shtml, .sis, .skb, .sln, .smh, .spb, .spc, .sql, .sqlite, .sqlite1, .swift, .ssh, .ssx, .stone, .struct, .suf, .svg, .szs, .tar, .tar.gz, .tdr, .tex, .tga, .tgz, .thm, .tif, .tiff, .tml, .tor, .torrent, .txt, .url, .vbs, .vgm, .vid, .vob, .wad, .war, .wdb, .web, .webmoney, .wks, .wmv, .wpl, .wps, .wsf, .x11, .xhtml, .xlsx, .xla, .xls, .xlsm, .xml, .xpl, .xsl, .zip

Then, the ransomware will create a ransom note in every directory, "README-VIAGRA-[FIRST 8 CHARACTERS OF THE ID].txt" (originally "README-VIATA-[FIRST 8 CHARACTERS]"), and one in HTML format, for every folder and disk in where the encryption was made. Both ransomwares will set after a background by modifying the Registry ("BACKGROUND.BMP", dropped into the current directory). The ransom note of Vigra has less details than the Viata one, and the BitCoin address supplied was changed.

The ransomware then will launch "vssadmin" to delete the Shadow Copies, will launch "cipher" to wipe the free space on the disk, "fsutil" to purge the USN journal and "shutdown" to log-off. The ransomware will also edit the Registry to set a "LegalNoticeText" and "LegalNoticeCaption" (the second former is static, the first is generated; the second is "Viagra yungthugger (V-0.1.31)", in Viata used to be "Viata RES (V-0.1.31)"); these two will be shown as message as soon as the user will log in back. Decryption is impossible.

Both are wipers; in fact, Viata contains a invalid e-mail address given at testing phase and Viagra does not contain one (the user can't contact the malware author), but both can be decrypted anyway by the original author of Viata (due to him having the original RSA-4096 key pair). Viagra is the result of a leak involving the test phase, that lasted a week.

Media

Viewer-Made Malware 11 - Viata Ransomware (Win32)

Viewer-Made Malware 11 - Viata Ransomware (Win32)

Viata, in earlier phase.

Community content is available under CC-BY-SA unless otherwise noted.