Win32/LockScreen [Threat Name] go to Threat

Win32/LockScreen.AQ [Threat Variant Name]

Category trojan
Size 43520 B
Detection created Jul 08, 2009
Detection database version 4225
Aliases Trojan-Ransom.Win32.SMSer.ex (Kaspersky)
  Trojan.Horse (Symantec)
  Trojan.Packed.541 (Dr.Web)
Short description

Win32/LockScreen.AQ is a trojan that blocks access to the Windows operating system. To regain access to the operating system the user is asked to send an SMS message to a specified telephone number in exchange for a password. When the correct password is entered the trojan removes itself from the computer.

Installation

When executed, the trojan copies itself into the following location:

  • %windir%\­Help\­hlp.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "sound" = "%windir%\­Help\­hlp.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit" = "%windir%\­Help\­hlp.exe"
Other information

The trojan displays the following dialog box:

When the correct password is entered the trojan removes itself from the computer.


The password to regain access to the operating system is one of the following:

  • 5748839

The trojan disables the following key combinations: ALT + F4 .


The trojan creates the following files:

  • c:\­del.bat
  • %windir%\­Help\­tm

Please enable Javascript to ensure correct displaying of this content and refresh this page.