Friday 25 November 2011

Lame winlock (from the family of FakePoliceAlert ?)



A weird winlock appeared since hmm no idea exactly approximately 16 Nov, targeting german people and using Ukash/Paysafecard like the FakePoliceAlert winlocks:



The serial should be minimum 15 digits:

The serial is sent to the server and checked

URL: cr0fter.com/index.php
POST data: guid={56429642-7C05-11E0-BAE9-806D6172696F}&rType=pay&pType=2&code=0123456789123456

Then the server response is compared


I've do my test reqs:

And easily understood how it's work, the server can return you two differents value:
1000 (good serial)
1100 (bad serial)
Value who are checked after on the winlock to send you on the 'unlock part' or to the 'wrong PIN-Code part'
It will first check on the server if the serial is not already on the database, if not it will check the format.
Based on what's i know, i've used the Paysafecard format (16 digits and one zero at the beginning?)
0XXXXXXXXXXXXXXX
X are random, and surprise, serial worked.

According to VirusTotal, only 5 AV detect the winlock:
https://www.virustotal.com/file-scan/report.html?id=bea82b09d0b0802cb7153bbaa7aeb22d169680c7dd103a5763e46d761b8aec31-1322165875

Following dir was found:
http://cr0fter.com:80/1/

3 comments:

  1. You can find the Admin panel here: http://cr0fter.com/1/admin/

    ReplyDelete
  2. I have this now how do I get rid of it?

    ReplyDelete
  3. How can I get rid of this?

    ReplyDelete