How do you guys find the new URLs to this ransomware so fast?
A forum for reverse engineering, OS internals and malware analysis
ads who lead to winad
nickvth2009 wrote:where?EP_X0FF wrote:9652265929 -> BELGIUMinb4 new unblock code is THEFORMERYUGOSLAVREPUBLICOFMACEDONIA.
9099417118 -> BELGIUM
9099417146 -> BELGIUM
are you kidding? not joking really. btw mad skillz.
codes posted here after this reposts in many forums out there - your jokes are not funny
Post removed.
There is no need to post randomized pictures and self proclaimed unblock codes.
This is not a game and peoples outside who will try to enter fake codes will be unhappy at least.
There is no need to post randomized pictures and self proclaimed unblock codes.
This is not a game and peoples outside who will try to enter fake codes will be unhappy at least.
Ring0 - the source of inspiration
Another few killed.
Host name: xxxfilmaviforyou.info
Registrant Email: frolova.olga@gmail.com
Name Server:NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM
Name Server:NS2.SUSPENDED-FOR.SPAM-AND-ABUSE.COM
Host name: filmforyouxxx.info
Name Server:NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM
Name Server:NS2.SUSPENDED-FOR.SPAM-AND-ABUSE.COM
Ring0 - the source of inspiration
FilmForYouXxx.info has been blocked.
I have sent the request to block the redirectors:
hxxp://girid12va.info/gizfcciin.cgi?11
hxxp://bloti89da.info/gizaasciin.cgi?11
hxxp://dodol14da.info/gizffdiin.cgi?11
I have sent the request to block the redirectors:
hxxp://girid12va.info/gizfcciin.cgi?11
hxxp://bloti89da.info/gizaasciin.cgi?11
hxxp://dodol14da.info/gizffdiin.cgi?11
mc0blck wrote:FilmForYouXxx.info has been blocked.All three killed.
I have sent the request to block the redirectors:
hxxp://girid12va.info/gizfcciin.cgi?11
hxxp://bloti89da.info/gizaasciin.cgi?11
hxxp://dodol14da.info/gizffdiin.cgi?11
kliop59ta.info - redirector -> dead
Hostname: kliop59ta.info
Registrant Email: antonanton1980@yahoo.com
Name Server: NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM
Name Server: NS2.SUSPENDED-FOR.SPAM-AND-ABUSE.COM
Ring0 - the source of inspiration
Codes seems the same. Additionally submitted through MDL. Goodbye GoDaddy, hello REGRU.
http://www.reg.ru/support/abuse
domain: GIGPORNOFORFREE.RUhttp://www.reg.ru/whois/index?dname=GIGPORNOFORFREE.RU
nserver: ns1.reg.ru.
nserver: ns2.reg.ru.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
e-mail: abatinsan@gmail.com
registrar: REGRU-REG-RIPN
created: 2011.07.17
paid-till: 2012.07.17
source: TCI
http://www.reg.ru/support/abuse
Ring0 - the source of inspiration
Code: Select all
Working as of 17/07/2011. Attached are the latest samples of this ransomware in a RAR-archive available for further analysis.hxxp://gigpornoforfree.ru/1/video/porno-rolik1.avi.exe
hxxp://gigpornoforfree.ru/2/video/porno-rolik2.avi.exe
hxxp://gigpornoforfree.ru/3/video/porno-rolik3.avi.exe
hxxp://gigpornoforfree.ru/4/video/porno-rolik4.avi.exe
hxxp://gigpornoforfree.ru/6/video/porno-rolik6.avi.exe
hxxp://gigpornoforfree.ru/7/video/porno-rolik7.avi.exe
hxxp://gigpornoforfree.ru/8/video/porno-rolik8.avi.exe
hxxp://gigpornoforfree.ru/9/video/porno-rolik9.avi.exe
hxxp://gigpornoforfree.ru/10/video/porno-rolik10.avi.exeI am still wondering why there never is a porno-rolik5.avi.exe.
Attachments
pass: malware
(529.44 KiB) Downloaded 43 times
(529.44 KiB) Downloaded 43 times
Last edited by EP_X0FF on Mon Jul 18, 2011 1:25 am, edited 1 time in total.
Reason: archive reaupload with password
dokoler-w.info redirector has been killed.
Host name: dokoler-w.info
Registrant Email: hirmo09@ymail.com
Name Server:NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM
Name Server:NS2.SUSPENDED-FOR.SPAM-AND-ABUSE.COM
nickvth2009 wrote:I am still wondering why there never is a porno-rolik5.avi.exe.Likely this was made specially to fool some crawlers with autodownloader feature.
nickvth2009 wrote:Working as of 17/07/2011Please send abuse to REG.RU - as many peoples will start abusing - then better chances to get this sh*t down.
Ring0 - the source of inspiration
