Monday, 13 June 2011

Trojan.Ransom (porno-rolik.avi.exe)


This trojan blocker ( MD5: 8ad3f84575cdda185084cbdb992bf4f3 ) prevents all software execution.
To remove the Trojan (and unlock windows), infected users need to enter a valid serial number.


Number to Call: 9096694100
Code to unlock Windows: GASH


Pornoplayer variant.
Already noticed on the past: here (28 May 2k11) ~ here (4 Jun 2k11) ~ here (9 Jun 2k11) ~ here (11 Jun 2k11) ~ here (12 Jun 2k11) ~ here (12 Jun 2k11)


Ollyscript:
BC
BPHWC
BPX "VirtualAlloc"
RUN
STO
RTR
STO
FINDOP eip, #6865647138# // PUSH 38716465
CMP $RESULT, 0
JNE noerrors
MSG "Shit happens"
noerrors:
BPHWS $RESULT
RUN
loop:
STI
FIND eip, #89????F?FFFFFF#
CMP $RESULT, eip
JNE loop
STO
STO
STO
loop2:
STI
FIND eip, #585F5E5BC950E8D9010000# // POP EAX/EDI/ESI/EBX LEAVE PUSH EAX CALL 0x
CMP $RESULT, eip
JNE loop2
STO
STO
STO
STO
STO
STO
STI
FIND eip, #C20400# // RETN 4
CMP $RESULT, 0
JNE lolwoot
MSG "Shit happens"
lolwoot:
BP $RESULT
RUN
STO
AN eip
DPE "unpacked.exe", eip
CMT eip, "Enjoy faggot"
RET

No comments:

Post a Comment