Win32/LockScreen [Threat Name] go to Threat

Win32/LockScreen.AKO [Threat Variant Name]

Category trojan
Size 126464 B
Detection created Mar 14, 2012
Detection database version 6965
Aliases Trojan.Win32.Agent.hvua (Kaspersky)
  PWS-Zbot.gen.hv.trojan (McAfee)
  Trojan:Win32/Pexby.A (Microsoft)
Short description

Win32/LockScreen.AKO is a trojan that blocks access to the Windows operating system.

Installation

When executed, the trojan copies itself into the following location:

  • %startup%\­igfxtray.exe

This way the trojan ensures that the file is executed on every system start.


The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Internet Explorer\­Main]
    • "NoProtectedModeBanner" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­0]
    • "2500" = 3
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­1]
    • "2500" = 3
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­2]
    • "2500" = 3
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "2500" = 3
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­4]
    • "2500" = 3
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Internet Explorer\­Main]
    • "NoProtectedModeBanner" = 1
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­0]
    • "2500" = 3
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­1]
    • "2500" = 3
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­2]
    • "2500" = 3
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "2500" = 3
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­4]
    • "2500" = 3

The trojan terminates all running processes except the following:

  • iexplore.exe

The trojan blocks the execution of all applications, except the following:

  • iexplore.exe

The trojan creates and runs a new thread with its own program code within the following processes:

  • Winlogon.exe

The trojan hooks the following Windows APIs:

  • SwitchDesktop (user32.dll)
  • CreateProcessInternalW (kernel32.dll)
Other information

Win32/LockScreen.AKO is a trojan that blocks access to the Windows operating system.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (14) URLs. The HTTP protocol is used.


The trojan displays the following dialog box:

To regain access to the operating system the user is requested to comply with given conditions in exchange for a password/instructions.


When the correct password is entered the trojan is deactivated.

Please enable Javascript to ensure correct displaying of this content and refresh this page.