Friday, 12 August 2011

Weird winlock

This trojan blocker ( MD5: 81105dbe2a2e2f05f1b81fa6c632d2d5 ) load automatically when you start a session.
To remove the Trojan (and unlock windows), infected users need to enter a valid serial number.

But there is no valid serial to enter.
The file 'setup.exe' is powered by "Smart install maker", it drop "saliter.exe" into %SystemRoot%
and modify the value shell on HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogonlaunch
then, it launch a reboot procedure with shutdown.exe.

Saliter.exe is another powered file, this time by "Increditools Flash EXE Builder"
It drop an SWF File into %appdata%/IFViewer/[Random numbers]

saliter.exe is just a flash file viewer with a fullscreen/topmost option.
by pressing Ctrl+Esc you can open your windows start menu with no problem.

Decompiled swf:

When you click on the unlock button it just call the bad boy; no serial check.

The idea of swf ransomware is fun but too easy to defeat  with a flash decompiler.

Number to call: 878172614
Number to call: 79900172614
Number to call: dx870172614
Number to call: 4049172614

1) Alt+F4
2) Win+U
3) Profit

Thanks to mrbelyash for the sample.

No comments:

Post a Comment