This trojan blocker ( MD5: 4a10b3223d8e9f67034e5f1c6826f298 ) prevents all software execution.
To remove the Trojan (and unlock windows), infected users need to enter a valid serial number.
The first sample have appear at 10:27:46 (GMT+1)
Number to Call: 9688919806
Number to Call: 9688919818
Code to unlock Windows: MUSTGO
According to VirusTotal, the sample is detected by just 4 Antivirus: https://www.virustotal.com/file-scan/report.html?id=143e2787252800810dc1c18449ea834507e240c127b2de69a65caa1571ad7cd0-1302774097
Interesting update.
Edit: 14 Apr 2k11: The sample of 20:27:52 (GMT+1) was updated, price of the ransomware now: 500 + Sample repacked: According to VirusTotal the malware is detected by 2 Antivirus: http://www.virustotal.com/file-scan/report.html?id=7753e4ac271df7d42d87485cb8267ff23e31b6b83997bb0b9a9ec004ecbdb031-1302809383 (Before: 4 AV)
----------
HomoBlocker is a variant of pornoplayer
HomoBlocker was already analyzed on the past: here (15 Jan 2k11) ~ here (16 Jan 2k11) ~ here (18 Jan 2k11) ~ here (20 Jan 2k11) ~ here (25 Jan 2k11) ~ here (30 Jan 2k11) ~ here (7 Fev 2k11) ~ here (8 Apr 2k11) ~ here (11 April 2k11)
http://rghost.ru/5232376
ReplyDelete