Friday 7 January 2011

HoaxSMS Fake installers (WinRARc / WinRAR 2010)



These fake installers use a pricetrap method, the same we retrieve in ransomwares: user is fooled into making a costly subscription for continue.

knigi_po_remontu_kvartir.rar.exe:
57c775d601ffc0d6c01ab4402ba834dc

Å«Ó¡« _slash_ Porno (1990) VHSRip_021518-44912.zip.exe:
e4f08c0543fa75ebadcdc3c83d4beaa3

This is quite interesting hoax, masqueraded as WinRAR archive who come from a fake rapidshare website

Download any archive from the site to get that:

When started hoax displaying main window with "contents" of archive and waiting for user action.
Here also present EULA, where (highlighted) honestly written that this is hoax.
"The software product provides user authentication services for search engine files to one of the largest Russian and foreign torrent sites (torrent tracker) and on sites for sharing files"

You press "Extract", it's simulating some activity and then window is refreshed with "Select your country" stuff.
Be careful, because this buggy trash can crash if you select something except few countries in list.
I suggest you to select first country in list.
Next it is wants some money - send 1 SMS to short number displayed on screen (numbers differs from country to country).
SMS price given in EULA, but nobody does not read EULA's, yes?

For Russia price for 1 SMS - 10$.

Once you send first SMS:

It is asking second SMS:

And then it want third SMS:

So it's about 30$ only to get to this window
Now it is required to post tel number from which you send all 3 SMS previously.

Finally you have what you want - list of torrents, they are even working.
Here also very cool description how to download torrent client and how to download torrent files from server.


In simple words you are paying ~30$ and giving your phone number for FAQ how to install uTorrent and use Google. Obviously victims of this hoax are not really smart people.




~




Å«Ó¡« _slash_ Porno (1990) VHSRip_021518-44912.zip.exe is heavily protected by VMProtect.
Additional information for reverse engineers about knigi_po_remontu_kvartir.rar.exe:
0x53463C (interesting range to break)
0x53471E (MessageBox is showed)
These range are valid when UPX is gone.







WinRARc SMS code: 8109580, 2406415, 1645976.
Then: 2406415

Thanks to EP_X0FF
Posted by at 03:35
Labels: , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)