FakePoliceAlert winlocks was recently updated.
I see more and always more blackhole exploit kit spreading theses winlocks in DLL version.
Some pictures of winlocks found in the wild:
So what's new ?
They can download file, now that become necessary to also monitor these package.
They also create a new desktop for the winlock and load a iexplore fullscreen inside.
Most of them are on the IP range 92.241.*
Check if the winlock is run by rundll32
Check if there is AVP.EXE in running process
The payload (a password stealer always in dll format who target alot of things)
Avast identify some of these dll winlocks as 'SmokeLoader' according to VirusTotal
If you look's for samples:
Parallèlement, merci à Malekal et Secubox Labs, encore du bon travail d'équipe.