Tuesday, 14 December 2010

Trojan.Ransom (pornoplayer.exe)

This trojan blocker ( MD5: c4d3c0d0da57bc994d3103dcfaa3f87d ~ 6b16b6c6675cfd8082a8f7fc64ae02e6 ~ 8060056424a24e07bf13fb1a2c34a5ec ) prevents all software execution.
To remove the Trojan (and unlock windows), infected users need to enter a valid serial number.

Number to Call: 9647732098
How to unlock
First thing to type: XYLIBOX
Second: 31337
Last: 31337
The first serial to type is not really important, but the second and the last must be the same for unlock Windows plus your serial need to have 5 chars minimum in lenght and no letters, only numerics.

Run MBAM, to remove the infection.
pornoplayer.exe was also noticed here on the past (29 Nov 2k10) and here (5 Dec 2k10)

Updated ~ 14 Dec 2010:
Due to the fact i've analyzed many variants of pornoplayer, in this one i've missed something during my first analyze.
There is another way for remove this ramsomware.
When it ask you for the first serial, enter: SORRY for remove it
Here is some pictures for reverse engineers:

No comments:

Post a Comment