Friday, 8 April 2011
The resurrection of Homoblocker after a ~2 months inactivity.
NB: A WinAD server was shutdown yesterday, the 'IRON MAIDEN' version was really interesting, you should read that
What's new on this version ?
- Protected with Mystic Compressor (like his cousin)
- Use junk code (NOP'S) on the serial verification.
- Malicious Website updated. (click here for view the old stuff)
The porn image on background who represent a fake video player, have changed (Before that was not this girl)
The author himself says that in the name of pic:
The page title and the malware directory was changed, otherwise the code is almost the same: an image who conduct to malware download.
And a .JS file who try to exploit vulnerabilities from your browser: to make you download and execute the file automatically without your permission.
Those who are familiar with exploit kits will reconize: Blackhole Exploit Kit
On the past; they used PEK.
Dropper: 5/41 (12.2%)
payload: 5/42 (11.9%)
This trojan blocker ( MD5: 1b0f32ae76450a82ec8949604f4b8a79 ) prevents all software execution.
To remove the Trojan (and unlock windows), infected users need to enter a valid serial number.
Number to Call: 9652537359
Number to Call: 9670955653
Number to Call: 9099417960
Number to Call: 9652537545
Number to Call: 9670929482
Code to unlock Windows: THE TROOPER
HomoBlocker is a variant of pornoplayer
HomoBlocker was already analyzed on the past: here (15 Jan 2k11) ~ here (16 Jan 2k11) ~ here (18 Jan 2k11) ~ here (20 Jan 2k11) ~ here (25 Jan 2k11) ~ here (30 Jan 2k11) ~ here (7 Fev 2k11)