Friday, 12 August 2011
This trojan blocker ( MD5: 81105dbe2a2e2f05f1b81fa6c632d2d5 ) load automatically when you start a session.
To remove the Trojan (and unlock windows), infected users need to enter a valid serial number.
But there is no valid serial to enter.
The file 'setup.exe' is powered by "Smart install maker", it drop "saliter.exe" into %SystemRoot%
and modify the value shell on HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogonlaunch
then, it launch a reboot procedure with shutdown.exe.
Saliter.exe is another powered file, this time by "Increditools Flash EXE Builder"
It drop an SWF File into %appdata%/IFViewer/[Random numbers]
saliter.exe is just a flash file viewer with a fullscreen/topmost option.
by pressing Ctrl+Esc you can open your windows start menu with no problem.
When you click on the unlock button it just call the bad boy; no serial check.
The idea of swf ransomware is fun but too easy to defeat with a flash decompiler.
Number to call: 878172614
Number to call: 79900172614
Number to call: dx870172614
Number to call: 4049172614
Thanks to mrbelyash for the sample.