Trojan.MBRlock (output.exe)

I got this one when it was new on the wild but not maked a blog entry.
And i've view this post.. so it's time :)

This trojan blocker ( MD5: 1a0f12cc7736b07fb153733c7494d76e ) prevents all software execution.
To remove the Trojan (and unlock windows), infected users need to enter a valid serial number.

output.exe VirusTotal: https://www.virustotal.com/file-scan/report.html?id=5c368108517de7cf09e9614ef205cf49b13b384b49d5456316f3b1a2fe19b9ec-1303456070

The main executable modify your MBR and launch a reboot procedure, when rebooted you see this:

It says after three days the unlock is not possible, but it's alway possible.
That just a way to scare user and push them to call the service.

Attention ! Windows activation period is exceeded.
This windows copy is illegal and not registered properly.
The further work is not possible.
For activating this copy of windows yo must enter registration code.

This code you can find in your windows distribution package.
If you not find them you can receive it by the phone: +423 877 0158.
Registration code must be entered not later then three days, if it entered later the unlocking is not possible

For unlock your computer, enter any 14 chars (or more) serial.
Example: XYLIBOXXYLIBOX
Just after having typed Enter (al = 0d in key code), it check the lenght of your serial (value in DI) and that all.

The original MBR is not lost.

When a valid serial is entered, the infected part is gone

Merci Ange ;)