Win32/LockScreen [Threat Name] go to Threat

Win32/LockScreen.AQT [Threat Variant Name]

Category trojan
Size 36632 B
Detection created Feb 26, 2013
Detection database version 8051
Aliases Trojan-Downloader.Win32.Dofoil.plc (Kaspersky)
  Trojan:Win32/Tobfy.S (Microsoft)
  Win32:Dofoil-CP (Avast)
Short description

Win32/LockScreen.AQT is a trojan that blocks access to the Windows operating system. To regain access to the operating system the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

When executed the trojan copies itself in the following locations:

  • %commonappdata%\­SystemRoot.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "DisplaySwitch" = "%commonappdata%\­SystemRoot.exe"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "DisplaySwitch" = "%commonappdata%\­SystemRoot.exe"

The trojan may delete the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­SafeBoot\­Minimal]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­SafeBoot\­Network]

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "%commonappdata%\­SystemRoot.exe"
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Control\­SafeBoot]
    • "AlternateShell" = "%commonappdata%\­SystemRoot.exe"

The trojan creates and runs a new thread with its own program code within the following processes:

  • svchost.exe
Other information

Win32/LockScreen.AQT is a trojan that blocks access to the Windows operating system.


To regain access to the operating system the user is requested to comply with given conditions in exchange for a password/instructions.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) URLs. The HTTP protocol is used.


The performed action depends entirely on data the trojan receives from the Internet.


The following programs are terminated:

  • taskmgr.exe
  • cmd.exe
  • regedit.exe
  • OllyDBG.exe
  • SystemExplorer.exe
  • a2cmd.exe
  • start.exe
  • msconfig.exe
  • iexplore.exe
  • rstrui.exe
  • firefox.exe
  • chrome.exe
  • opera.exe
  • safari.exe

The trojan terminates any program that creates a window containing any of the following strings in its name:

  • Program Manager

Please enable Javascript to ensure correct displaying of this content and refresh this page.