Win32/LockScreen [Threat Name] go to Threat

Win32/LockScreen.AKR [Threat Variant Name]

Category trojan
Size 116224 B
Detection created Mar 30, 2012
Detection database version 7013
Aliases PWS-Zbot.gen.ut.trojan (McAfee)
  Trojan:Win32/Malagent (Microsoft)
Short description

Win32/LockScreen.AKR is a trojan that blocks access to the Windows operating system.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­%variable%.exe

A string with variable content is used instead of %variable% .


The trojan creates the following file:

  • %appdata%\­kb.dll (3072 B, Win32/LockScreen.AKR)

Libraries with the following names are injected into all running processes:

  • kb.dll

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Leadership Technologies" = "%appdata%\­%variable%.exe"
    • "videoLAN Media Lab" = "%appdata%\­%variable%.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Leadership Technologies" = "%appdata%\­%variable%.exe"
    • "videoLAN Media Lab" = "%appdata%\­%variable%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "%appdata%\­%variable%.exe"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "%appdata%\­%variable%.exe"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­0]
    • "1400" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­1]
    • "1400" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "1400" = 0
    • "1601" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableTaskMgr" = 1
    • "DisableRegistryTools" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "NoDesktop" = 1
    • "NoWinKeys" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "HideIcons" = 1

The trojan may delete the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­SafeBoot]
  • [HKEY_CURRENT_USER\­SYSTEM\­CurrentControlSet\­Control\­SafeBoot]

The following programs are terminated:

  • explorer.exe
  • taskmgr.exe
Other information

Win32/LockScreen.AKR is a trojan that blocks access to the Windows operating system.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (3) URLs. The HTTP protocol is used.


The trojan displays the following dialog box:

To regain access to the operating system the user is asked to send information/certain amount of money via Paysafecard payment service.


The trojan blocks keyboard and mouse input.


The trojan checks for Internet connectivity by trying to connect to the following servers:

  • www.ask.com

The trojan executes the following command:

  • ipconfig /flushdns
  • ipconfig /renew

Please enable Javascript to ensure correct displaying of this content and refresh this page.