CoronaLocker

While coronavirus numbers may be dropping around the world, the virus remains a very real threat. Coronavirus has become as much of a digital threat as a physical one in recent weeks and months. Many threat actors are creating malware themed around the virus, from ransomware to screen lockers. CoronaLocker is an example of a screen locker tied to coronavirus.

Screen lockers are a kind of malware that tries to lock you out of your system. These viruses display a screen over your login screen so that it is impossible to log in or otherwise interact with your computer. Some of these are harmless, but others can be severe problems.

Max Kersten discovered the CoronaLocker screen locker after it appeared on a computer belonging to one of their friends. CoronaLocker seems to spread through a fake Wi-Fi hacking program that runs through the executable file “wifihacker.exe.”

The malware extracts a number of VBS files as well as a batch file. When these files – shown below – are combined, the result is one of the most annoying screen lockers around. CoronaLocker does more than just prevent you from logging in – it causes a cacophony of annoying noises to hammer home just how irritating it all is.

The authors of the CoronaLocker threat appear to be propagating it by disguising it as a hacking tool designed to target WiFi networks. The supposed WiFi hacking utility is offered for free on a variety of forums, dubious social media posts, dodgy websites, etc. Once the CoronaLocker screenlocker infiltrates the targeted system, it will decompress its payload as the first step of the attack. Next, the CoronaLocker threat will drop its VBS (Visual Basic Script) files on the compromised computer. The VBS files in question would serve to:

• Use the Windows Voice utility to play out ‘corona virus’ as a phrase, repeatedly, likely in an attempt to stress out the victim.
• Reboot the infected computer to spawn a ‘you are infected of corona virus..’ message on the victim’s screen. The message also contains the email of the threat’s creators – ‘computertricks2018@gmail.com.’
• Display a message stating that the victims need to contact the attackers and purchase a decryption tool because their files have been locked. The email provided is ‘computerdestroyer0108@gmail.com.’

CoronaLocker causes the computer to restart after installation. When users try to log back on they will see the following lock screen;

CoronaLocker Lock Screen

The screen tells them, “you are infected of coronavirus,” and it displays the email address computertricks2018@gmail.com. As noted, the virus also plays annoying sounds to really hit the message home.

When users get around the lock screen and make it into Windows, they are shown another lock screen. This screen includes the email address systemdestroyer108@gmail.com. The good news for anyone who gets hit with this annoying virus is that it’s easy to get out of this lock screen. Just type “VB” and press the OK button to get into your computer correctly.

The bad news is that the CoronaLocker screen locker establishes persistence on the computer and has some other tricks up its sleeve. The virus changes Registry settings to prevent users from accessing Run commands and Task Manager. The virus also disables the Start menu and removes desktop icons. Kersten goes into more detail about all of the little changes that the virus makes, but needless to say, it isn’t very pleasant to have to deal with.

It’s unknown how the CoronaLocker screen locker ransomware is being spread, but it is likely through YouTube, Discord, or some other form of social media.