Win32/LockScreen [Threat Name] go to Threat

Win32/LockScreen.AKG [Threat Variant Name]

Category trojan
Size 266240 B
Detection created Feb 20, 2012
Detection database version 6905
Aliases Trojan-Downloader.Win32.Dapato.cnm (Kaspersky)
  VirTool:Win32/VBInject.gen!IN (Microsoft)
Short description

Win32/LockScreen.AKG is a trojan that blocks access to the Windows operating system.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­%variable1%

The %variable1% is one of the following strings:

  • u56esdij.exe
  • gw45u45111.exe
  • ujr5iujdcft.exe
  • y6drxuj c7ti.exe
  • bstr55uhjzd.exe
  • soundblaster_fx648.exe
  • itunes_service86.exe
  • hw654ustqq.exe
  • h6s5ruij653.exe
  • flint4ytw.exe
  • k8rdift659c.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Active Setup\­Installed Components\­{%variable2%}]
    • "%variable3%" = ""%malwarefilepath%" /ActiveX"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable3%" = "%malwarefilepath%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable3%" = "%malwarefilepath%"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "%malwarefilepath%"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit" = "%malwarefilepath%, %system%\­userinit.exe,"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "%malwarefilepath%, %system%\­userinit.exe,"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit" = "%malwarefilepath%"

The %variable2% is one of the following strings:

  • O9U68HCI-tA5z-MSuh-4lzU-nDZC43LfmO6P
  • PzNtC70Z-ovWJ-yczk-WaFb-fs5SkWVcM3h2
  • BvYKdEQl-iLui-B4T0-VmjI-cPolyEQ4JIRW
  • 61r1K7Zg-HMWm-14l4-knLL-DFbthPjzcAFc
  • fgp1l2e2-UHzu-fOkg-z7KY-SpaF5G4Z1Yo3
  • B7DP0lwl-gyOj-zQe1-T8DI-cr3qllv4OfBp
  • XeJngJXf-ODXg-ffJf-IGRj-b8ZmzFObCacv
  • 1hmSr1RB-ESch-XaCZ-hs1G-ALronm184WAs
  • 5ueDxYLo-I543-1otK-kGTs-C9Y55G4HYphK
  • xZZHlbZp-cp9b-vHzS-P0ZA-6t3dhx9Vn6Sh
  • i0qyLGxO-ZfW6-iymO-CQLv-V8bdvknLQatS

The %variable3% is one of the following strings:

  • Db54p8FT3EzkkTk
  • 4rJHeEXlxs54kFa
  • 1hlVVnpMZJrBRye
  • BX6kRBeYBXtpN21
  • lmfvMDBr3jNvGGM
  • 5kS43ADO0bzprWo
  • VX5LWxsct4OYCCz
  • m29dAlvRev1yx2E
  • VX2bt1oYNKCLnkO
  • K3aRyluP6SiCkoR
  • 7Rxb5FismTZydeX

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­0]
    • "1400" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­1]
    • "1400" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "1400" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableTaskMgr" = 1
    • "DisableRegistryTools" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "NoDesktop" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "HideIcons" = 1

The trojan terminates any program that creates a window containing any of the following strings in its name:

  • Windows Task Manager
Other information

Win32/LockScreen.AKG is a trojan that blocks access to the Windows operating system.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (26) URLs. The HTTP protocol is used.


The trojan displays the following dialog box:

To regain access to the operating system the user is requested to comply with given conditions in exchange for a password/instructions.

Please enable Javascript to ensure correct displaying of this content and refresh this page.