Win32/LockScreen [Threat Name] go to Threat

Win32/LockScreen.AK [Threat Variant Name]

Category trojan
Size 18432 B
Detection created Jul 07, 2009
Detection database version 4222
Aliases Trojan-Ransom.Win32.Blocker.cb (Kaspersky)
  Ransom!m (McAfee)
  Trojan.Winlock.151 (Dr.Web)
Short description

Win32/LockScreen.AK is a trojan that blocks access to the Windows operating system. To regain access to the operating system the user is asked to send an SMS message to a specified telephone number in exchange for a password. When the correct password is entered the trojan is deactivated. The file is run-time compressed using UPX .

Installation

When executed, the trojan copies itself into the %appdata% folder using one of the following file names:

  • gccay.exe
  • hjiwb.exe
  • jorgk.exe
  • nezau.exe
  • pknnx.exe
  • qbozz.exe
  • kuotx.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "wscc" = "%appdata%\­%filename%.exe"

A string with variable content is used instead of %filename% .

Other information

The trojan displays the following dialog box:

When the correct password is entered the trojan is deactivated.


To regain access to the operating system one of the following passwords can be used:

  • 5748839

The trojan disables the following key combinations: ALT + F4 .

Please enable Javascript to ensure correct displaying of this content and refresh this page.