Win32/LockScreen [Threat Name] go to Threat

Win32/LockScreen.AKA [Threat Variant Name]

Category trojan
Size 198510 B
Detection created Feb 15, 2012
Detection database version 6887
Aliases Trojan-Ransom.Win32.Blocker.gww (Kaspersky)
  VirTool:Win32/VBInject.gen!IQ (Microsoft)
Short description

Win32/LockScreen.AKA is a trojan that blocks access to the Windows operating system.

Installation

When executed the trojan copies itself in the following locations:

  • %windir%\­system32\­gema.exe
  • %allusersappdata%\­gema\­gema.exe
  • %appdata%\­gema\­gema.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "gema" = "%windir%\­system32\­gema.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "gema." = "%allusersappdata%\­gema\­gema.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "gema" = "%appdata%\­gema\­gema.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "shell" = "%appdata%\­gema\­gema.exe, Explorer.exe,"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit" = "%allusersappdata%\­gema\­gema.exe, %SYSTEM%\­userinit.exe,"

The following programs are terminated:

  • taskmgr.exe
  • procexp.exe

The following services are disabled:

  • System Restore
Other information

Win32/LockScreen.AKA is a trojan that blocks access to the Windows operating system.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (35) URLs. The HTTP protocol is used.


To regain access to the operating system the user is requested to comply with given conditions in exchange for a password/instructions.


The trojan modifies the following file:

  • %windir%\­win.ini

Please enable Javascript to ensure correct displaying of this content and refresh this page.