Tuesday 19 April 2011

Trojan.Ransom (HomoBlocker)

This trojan blocker ( MD5: 95531d1b4767c5f1b5d8416143796df7 ) prevents all software execution.
To remove the Trojan (and unlock windows), infected users need to enter a valid serial number.
According to VirusTotal the sample was detected by just 4 Antivirus: https://www.virustotal.com/file-scan/report.html?id=6383c5a11459fd3a5de9ec842dd982a068c1e4e2b4f31c5bcaacee07c2d40655-1303185742

Number to Call: 9688919810
Number to Call: 9688919834
Number to Call: 9670958242
Number to Call: 9637734657
Number to Call: 9637734662
Number to Call: 9670964990
Number to Call: 9688920521
Number to Call: 9670696367
Number to Call: 9688919817
Code to unlock Windows: MUSTDIE

Edit 19 Apr 2k11: Crypter changed (Mystic Compressor) now there is a crap in VisualBasic "PrometeusStub"
According to VirusTotal the sample is full undetect (0/42): http://www.virustotal.com/file-scan/report.html?id=271e8bfccf59d7003064cd1de0a3315e8f5b7e58b6e6c8050a61f591a554d54a-1303220429

Icon is also changed.

Maybe a modification of the 'stub.EXE'

HomoBlocker is a variant of pornoplayer
HomoBlocker was already analyzed on the past: here (15 Jan 2k11) ~ here (16 Jan 2k11) ~ here (18 Jan 2k11) ~ here (20 Jan 2k11) ~ here (25 Jan 2k11) ~ here (30 Jan 2k11) ~ here (7 Fev 2k11) ~ here (8 Apr 2k11) ~ here (11 April 2k11) ~ here (14 Apr 2k11)

No comments:

Post a Comment