Indian winlocker trash, fakes bsod or product key screen, tries to get user to call fake tech support.
Some have a nice button to run cmd.exe, some do not.
All are linked via dropper method (advanced installer), or via callback URL (to notify successful install only).
I called this family "VB6.blacksod", because one of the earlier samples I saw had a form name called "blacksod", and they're all coded in VB6.
ErrorFileRemover.exe: advanced installer dropper, contacts hxxp://recoverpcerror.com/ar/5430.html (links to license key.exe), and hxxp://itsupport24by7.com/online.html (browlock in root, in utf-16le encoding with BOM, probably as a lame obfuscation attempt). Number to call: +1(800)536-1585 -- fakes a BSOD and plays lame text-to-speech wav in broken english to scare user.
VideoCodecX.exe: advanced installer dropper, contacts hxxp://gmusicplayer.com/0678.html and hxxp://recoverpcerror.com/me/0678.html, has nice cmd.exe button, number to call: 1-844-307-0678
license key.exe: Smart Install Maker dropper, contacts hxxp://recoverpcerror.com/me/active/3313.html, has nice cmd.exe button, number to call: 1-877-256-3313
Some have a nice button to run cmd.exe, some do not.
All are linked via dropper method (advanced installer), or via callback URL (to notify successful install only).
I called this family "VB6.blacksod", because one of the earlier samples I saw had a form name called "blacksod", and they're all coded in VB6.
ErrorFileRemover.exe: advanced installer dropper, contacts hxxp://recoverpcerror.com/ar/5430.html (links to license key.exe), and hxxp://itsupport24by7.com/online.html (browlock in root, in utf-16le encoding with BOM, probably as a lame obfuscation attempt). Number to call: +1(800)536-1585 -- fakes a BSOD and plays lame text-to-speech wav in broken english to scare user.
VideoCodecX.exe: advanced installer dropper, contacts hxxp://gmusicplayer.com/0678.html and hxxp://recoverpcerror.com/me/0678.html, has nice cmd.exe button, number to call: 1-844-307-0678
license key.exe: Smart Install Maker dropper, contacts hxxp://recoverpcerror.com/me/active/3313.html, has nice cmd.exe button, number to call: 1-877-256-3313
Attachments
pass: infected
(2.86 MiB) Downloaded 99 times
(2.86 MiB) Downloaded 99 times