Friday, 25 November 2011

Lame winlock (from the family of FakePoliceAlert ?)

A weird winlock appeared since hmm no idea exactly approximately 16 Nov, targeting german people and using Ukash/Paysafecard like the FakePoliceAlert winlocks:

The serial should be minimum 15 digits:

The serial is sent to the server and checked

POST data: guid={56429642-7C05-11E0-BAE9-806D6172696F}&rType=pay&pType=2&code=0123456789123456

Then the server response is compared

I've do my test reqs:

And easily understood how it's work, the server can return you two differents value:
1000 (good serial)
1100 (bad serial)
Value who are checked after on the winlock to send you on the 'unlock part' or to the 'wrong PIN-Code part'
It will first check on the server if the serial is not already on the database, if not it will check the format.
Based on what's i know, i've used the Paysafecard format (16 digits and one zero at the beginning?)
X are random, and surprise, serial worked.

According to VirusTotal, only 5 AV detect the winlock:

Following dir was found:


  1. You can find the Admin panel here:

  2. I have this now how do I get rid of it?

  3. How can I get rid of this?