[Xylitol]

wow, sample have evolved !
loc: hXXp://axaxd.com/porno_video1019.avi.exe

Code: Select all

Number to Call: 9636254756
Number to Call: 9646284189
Number to Call: 9645730849
Number to Call: 9057922996
Number to Call: 9652637446
Code to unlock Windows: 852852

[Xylitol]

new loc: hXXp://welkhwlcc.ru/video098652.exe




http://www.virustotal.com/file-scan/rep ... 1300048022

[Xylitol]

updated and full undetected https://www.virustotal.com/file-scan/re ... 1300080800

hXXp://welkhwlcc.ru/pornoxxx_video891134.exe

[Xylitol]

yay like the good old time
loc: hXXp://rutrahxxx.ru/xxxvideo_best_porno.avi.exe







Result: 0 /43 (0.0%)
https://www.virustotal.com/file-scan/re ... 1300671945

[EP_X0FF]

@ Sotherbee

All malware requests must be only in dedicated topic. For "how to" format your request refer to first post in Malware Requests topic.
All malware requests not in this topic will be removed automatically.

[Xylitol]

Pornoblocker, not dead yet.



3/43 >> 7.0%
https://www.virustotal.com/file-scan/re ... 1310888850

[EP_X0FF]

This business won't be dead in near perspective :) Because it's very easy money and it almost safe for criminals. Until they do not realize that someone knocking in their doors with arrest order - this will continue.

10. They buying a lot of tel numbers (likely with help and support inside Russian tel operators, with discount, or for free if affiliated).

20. Next they doing fast copy-past in Delphi/C++ (whatever), packing this with primitive crypter (passing build through private av-check board, cleaning signatures if needed) and uploading to the internet (if no money or they are greedy - using free hosting, otherwise something low cost outside Russia).

30. If only one victim will pay on only one number - it's already PROFIT. After few days guys closing phone bills and getting money.

40. GOTO 10.

[rkhunter]

May be is present list of dark side hosting providers on Russia/Ukraine, who distribute blockers? As i know it distribute from porno sites and legal hosts as Narod/Yandex.

[EP_X0FF]

Ransoms are heavily distributed through tizer networks. They are not only on pornosites etc. For example you browsing some online library - and suddenly some annoying banner appears on the screen. You click [x] and immediately forwarded to malware host full of ransoms and exploits (like in case of MBRlocker, Lock'Em'All).

Without local authorities contribution - this is endless eight.

[EP_X0FF]

Number to call:

8-989-710-47-63

Unblock code: 12021992

http://www.virustotal.com/file-scan/rep ... 1311755759