A weird winlock appeared since hmm no idea exactly approximately 16 Nov, targeting german people and using Ukash/Paysafecard like the FakePoliceAlert winlocks:
The serial should be minimum 15 digits:
The serial is sent to the server and checked
URL: cr0fter.com/index.php
POST data: guid={56429642-7C05-11E0-BAE9-806D6172696F}&rType=pay&pType=2&code=0123456789123456
POST data: guid={56429642-7C05-11E0-BAE9-806D6172696F}&rType=pay&pType=2&code=0123456789123456
Then the server response is compared
I've do my test reqs:
And easily understood how it's work, the server can return you two differents value:
1000 (good serial)
1100 (bad serial)
Value who are checked after on the winlock to send you on the 'unlock part' or to the 'wrong PIN-Code part'
It will first check on the server if the serial is not already on the database, if not it will check the format.
Based on what's i know, i've used the Paysafecard format (16 digits and one zero at the beginning?)
0XXXXXXXXXXXXXXX
X are random, and surprise, serial worked.According to VirusTotal, only 5 AV detect the winlock:
https://www.virustotal.com/file-scan/report.html?id=bea82b09d0b0802cb7153bbaa7aeb22d169680c7dd103a5763e46d761b8aec31-1322165875
Following dir was found:
http://cr0fter.com:80/1/
You can find the Admin panel here: http://cr0fter.com/1/admin/
ReplyDeleteI have this now how do I get rid of it?
ReplyDeleteHow can I get rid of this?
ReplyDelete