Monday, 18 April 2011
Trojan.Ransom - КОМПЬЮТЕР ЗАБЛОКИРОВАН!
This trojan blocker ( MD5: 0b525aba7d3134d853d3a9a172abb300 - e7f93f0d7106ff1b0534fbe28023138d ) prevents all software execution.
To remove the Trojan (and unlock windows), infected users need to enter a valid serial number.
pa.exe is detected by just one antivirus as 'SpyEye' http://www.virustotal.com/file-scan/report.html?id=9aa49286577dbab965bcd943c46b1def61458663c7ca26a67160d5665f35a256-1303162581
Number to Call: 8-911-013-30-35
Number to Call: 8-911-722-24-88
Problem i got... i don't found the unlock code...
If a reverser want have a look ? so here is my analysis:
Create a mutex, who look like a serial, certainly to mislead reverse engineers:
Says goodbye to taskmgr, userinit (a big problem):
Create a load regkey:
"Неверный код" part:
Infection come from this server:
C:\Documents and Settings\All Users\Application Data\22CC6C32.exe
Event if you bought a unlock key that will not restore the damaged taskmgr and userinit !
A solution (not tested) is to manual restore these file with a live cd like "Hiren's Boot CD" "Shardana Antivirus Rescue Disk Utility" or more official with the Microsoft CD and try a system repair.
The difficult part is not to delete these files but to restore a proper copy of userinit.exe and taskmgr.exe.
Thanks to mrbelyash for the sample.