Win32/LockScreen [Threat Name] go to Threat

Win32/LockScreen.AJX [Threat Variant Name]

Category trojan
Size 348160 B
Detection created Feb 12, 2012
Detection database version 6878
Aliases Trojan-Ransom.Win32.Foreign.acz (Kaspersky)
  Ransom!ez.trojan (McAfee)
  Trojan:Win32/Ransirac.C (Microsoft)
Short description

Win32/LockScreen.AJX is a trojan that blocks access to the Windows operating system.

Installation

When executed the trojan copies itself in the following locations:

  • %windir%\­system32\­InetAccelerator.exe
  • %commonappdata%\­InetAccelerator\­InetAccelerator.exe
  • %appdata%\­InetAccelerator\­InetAccelerator.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "InetAccelerator" = "%windir%\­system32\­InetAccelerator.exe"
  • [HKEY_LOCAL_MACHINE\­software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "InetAccelerator." = "%commonappdata%\­InetAccelerator\­InetAccelerator.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "InetAccelerator" = "%appdata%\­InetAccelerator\­InetAccelerator.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "shell" = "%appdata%\­InetAccelerator\­InetAccelerator.exe,%windir%\­InetAccelerator.exe,%system%\­userinit.exe,"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit" = "%commonappdata%\­InetAccelerator\­InetAccelerator.exe, Explorer.exe,"

The following Registry entries are deleted:

  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Control\­Safeboot]
  • [HKEY_LOCAL_MACHINE\­System\­ControlSet001\­Control\­Safeboot]
  • [HKEY_LOCAL_MACHINE\­System\­ControlSet002\­Control\­Safeboot]
Other information

Win32/LockScreen.AJX is a trojan that blocks access to the Windows operating system.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains an URL address. The HTTP protocol is used.


The trojan may display the following dialog boxes:

The following services are disabled:

  • System Restore

The trojan modifies the following file:

  • %windir%\­win.ini

The following programs are terminated:

  • taskmgr.exe
  • procexp.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.