A weird winlock appeared since hmm no idea exactly approximately 16 Nov, targeting german people and using Ukash/Paysafecard like the FakePoliceAlert winlocks:
The serial should be minimum 15 digits:
The serial is sent to the server and checked
Then the server response is compared
I've do my test reqs:
And easily understood how it's work, the server can return you two differents value:
1000 (good serial)
1100 (bad serial)
Value who are checked after on the winlock to send you on the 'unlock part' or to the 'wrong PIN-Code part'
It will first check on the server if the serial is not already on the database, if not it will check the format.
Based on what's i know, i've used the Paysafecard format (16 digits and one zero at the beginning?)
0XXXXXXXXXXXXXXXX are random, and surprise, serial worked.
According to VirusTotal, only 5 AV detect the winlock:
Following dir was found: