Tuesday, 15 March 2011

Trojan.Ransom (pornoplayer.exe)


This trojan blocker ( MD5: 60e621b424552843f977e741515a5858 ) prevents all software execution.
To remove the Trojan (and unlock windows), infected users need to enter a valid serial number.


Number to Call: 9670988637
Number to Call: 9654350608
Number to Call: 9645731480
Number to Call: 9652340907
Number to Call: 9652361799
Number to Call: 9099417995 
Number to Call: 9653372603 
Number to Call: 9670989423
Number to Call: 9652481795
Number to Call: 9654357815
Code to unlock Windows: IRON MAIDEN


Description of the extracted winlock: Gpg4win: The GNU Privacy Guard and Tools for Windows

HS: Thanks Tom.K for the cool image :)

Edit 18 Mar 2k11: pornoplayer.exe seem back to UPX


 Edit 22 Mar 2k11: pornoplayer.exe seem back to Mystic Compressor


 Edit 30 Mar 2k11: Mystic Compressor was updated on pornoplayer payload.


 Edit 07 Apr 2k11: Server was shutdown today at 16h00m00s (GMT+1 France)
 Interesting fact:
The 30 March 2k11 at 22h36m, MAD detected: 8013A384E18F8A01E6C44AF57DBDAAAD_pornoplayer.exe.ViR
The first sample to use number: 9654357815
The last sample downloaded by MAD before the server shutdown is: 64EFC1485B4AB07A6532B62D2FB735D1_pornoplayer.exe.ViR
Downloaded the 07 April at 15h21m.
In these 9 days the number to call (9654357815) have never changed (And our bot have run 24h/24 - 7J/7)
Habitually the number change every 1 or 2 days.
What happened this week, vacation ? who know..

--------------
pornoplayer.exe was also noticed on the past: here (29 Nov 2k10) ~ here (5 Dec 2k10) ~ here (14 Dec 2k10) ~ here (17 Dec 2k10) ~ here (23 Dec 2k10) ~ here (23 Dec 2k10) ~ here (24 Dec 2k10) ~ here (27 Dec 2k10) ~ here (29 Dec 2k10) ~ here (10 Jan 2k11) ~ here (13 Jan 2k11) ~ here (14 Jan 2k11) ~ here (15 Jan 2k11) ~ here (19 Jan 2k11) ~ here (20 Jan 2k11) ~ here (25 Jan 2k11) ~ here (30 Jan 2k11) ~ here (7 Feb 2k11) ~ here (10 Feb 2k11) ~ here (17 Feb 2k11) ~ here (22 Feb 2k11) ~ here (2 Mar 2k11) here ~ (5 Mar 2k11)

No comments:

Post a comment