I've found a sample yesterday downloaded via this url: skyways.co/play.exe, console application, and ugly code + scareware and third party FakeAV call center.
All the following was so lame that i need to talk about this.
At first the malware will try to see if he's dropped into %SYSTEMROOT%/system/
If it's not the case then he will create a file:
Then, you think he will write into the new file created but nope, he add a registry persistence, by using the api CreateProcess (oh god, why) instead of using RegCreateKey:
Wrote finally the file:
Wait 5 minutes then display a message box:
After a reboot, a shutdown procedure is initialized:
And 5 minutes after, once again the messagebox:
I searched the phone number on google and found this:
ok, what's about the payement page:
And for the story i tried to call 1-866-286-6162 to insult them and tell them how much i hate their ugly code etc.. but there was no available representatives..