This thread contains samples that belongs to same group and distributing as "porno player". Locker named winAD, because of about box resource which present in both types.
It is BlueTrash
Unblock codes and tel numbers stored inside executables. They do not use cryptor but Winlock code constantly morphing trying to break antivirus signatures.
EDIT: 05 July 2011
Starting from the May 2011 WinAD evolved in Porno-Rolik ransomware. See page 9.
Overall working scheme still the same - hardcoded unblock code, constant updates to break AV signatures detection. With porno-rolik version authors started using Mystic Compressor / VBCrypt.
/*original message below*/
Dropper packed with UPX.
Extracts payload Winlock executable to Documents and Settings\UserName\[Digits]\[Digits].exe
Runs through HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
Unblock key EYE OF NEWT
, stored as UNICODE.
In attach Winlock executable extracted from dropper.http://www.virustotal.com/file-scan/rep ... 1290596918
You do not have the required permissions to view the files attached to this post.