Win32/LockScreen [Threat Name] go to Threat

Win32/LockScreen.AD [Threat Variant Name]

Category trojan
Size 23552 B
Detection created Jun 23, 2009
Detection database version 4180
Aliases Trojan-Ransom.Win32.SMSer.dm (Kaspersky)
  Ransom!e (McAfee)
  Trojan.Winlock.123 (Dr.Web)
Short description

Win32/LockScreen.AD is a trojan that blocks access to the Windows operating system. To regain access to the operating system the user is asked to send an SMS message to a specified telephone number in exchange for a password. When the correct password is entered the trojan removes itself from the computer. The file is run-time compressed using UPX .

Installation

When executed, the trojan copies itself into the %appdata% folder using one of the following file names:

  • cmeto.exe
  • fkwwy.exe
  • frdog.exe
  • fxalh.exe
  • hmuvt.exe
  • jfadc.exe
  • ngzmc.exe
  • qorkw.exe
  • qzxkc.exe
  • sbwss.exe
  • tpvya.exe
  • wlpse.exe
  • xftos.exe
  • yiwks.exe
  • zpqnp.exe
  • zzecq.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "windll" = "%appdata%\­%filename%.exe"

A string with variable content is used instead of %filename% .

Other information

The trojan displays the following dialog box:

When the correct password is entered the trojan removes itself from the computer.


The password to regain access to the operating system is one of the following:

  • 4939492 (+79204939492)
  • 2095498 (+79202095498)
  • 1234567 (+79201234567)
  • 1123456 (+79201123456)

Note: The password is valid for the telephone number in brackets.


The trojan disables the following key combinations: ALT + F4 .


The trojan contains a list of (1) URLs. It can send various information about the infected computer. The HTTP protocol is used.

Please enable Javascript to ensure correct displaying of this content and refresh this page.