Thursday 17 February 2011

Trojan.Ransom (pornoplayer.exe)

The code have elvolved but it's lame as usual.


This trojan blocker ( MD5: 6ec86d0d74567ed7f73069ee8e769364 ) prevents all software execution.
To remove the Trojan (and unlock windows), infected users need to enter a valid serial number.


Number to Call: 9652551795
Number to Call: 9652541846
Number to Call: 9037293456
Number to Call: 9629459986
Number to Call: 9670988634
Number to Call: 9651867627
Number to Call: 9037293446
Code to unlock Windows: CHILDREN OF DUNE


1) Drop the ransom:


2) Create malicious regkeys:

3) Execute the dropped ransom:

4) Code who make no sens (Check if a debugger run before ExitProcess):

Updated 17 times in 24hours:


pornoplayer.exe was also noticed on the past: here (29 Nov 2k10) ~ here (5 Dec 2k10) ~ here (14 Dec 2k10) ~ here (17 Dec 2k10) ~ here (23 Dec 2k10) ~ here (23 Dec 2k10) ~ here (24 Dec 2k10) ~ here (27 Dec 2k10) ~ here (29 Dec 2k10) ~ here (10 Jan 2k11) ~ here (13 Jan 2k11) ~ here (14 Jan 2k11) ~ here (15 Jan 2k11) ~ here (19 Jan 2k11) ~ here (20 Jan 2k11) ~ here (25 Jan 2k11) ~ here (30 Jan 2k11) ~ here (7 Feb 2k11) ~ here (10 Feb 2k11)

4 comments:

  1. http://vxvault.siri-urz.net/ViriList.php?s=0&m=4950
    ;)

    ReplyDelete
  2. Hey Xylibox,

    what is the name of software/service that you use for monitoring file changes on particular URL ? (last screenshot of this post)

    Would appreciate you answer :)

    Thanks

    ReplyDelete
  3. MAD 1.7.3 with PHP monitoring center hosted in local
    http://xylibox.blogspot.com/2011/02/malware-auto-downloader-v17-revision-3.html

    ReplyDelete
  4. http://i53.tinypic.com/2lt0gl.png

    ReplyDelete