Win32/LockScreen [Threat Name] go to Threat

Win32/LockScreen.AFR [Threat Variant Name]

Category trojan
Size 111616 B
Detection created Mar 31, 2011
Detection database version 6004
Aliases Trojan.Win32.VBKrypt.crfg (Kaspersky)
  Trojan:Win32/Ransom.DI (Microsoft)
  TROJ_RANSOM.INC (TrendMicro)
Short description

Win32/LockScreen.AFR is a trojan that blocks access to the Windows operating system. To regain access to the operating system the user is asked to send information/certain amount of money via Ukash payment service. The file is run-time compressed using UPX .

Installation

The trojan does not create any copies of itself.


In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "%malwarefilepath%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "%malwarefilepath%"
Other information

Win32/LockScreen.AFR is a trojan that blocks access to the Windows operating system.


The trojan displays the following dialog box:

To regain access to the operating system the user is asked to send information/certain amount of money via Ukash payment service.


The trojan terminates processes with any of the following strings in the name:

  • taskmgr.exe

The trojan alters the behavior of the following processes:

  • explorer.exe

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of URLs. The HTTP protocol is used.

Please enable Javascript to ensure correct displaying of this content and refresh this page.