Win32/LockScreen [Threat Name] go to Threat

Win32/LockScreen.BFL [Threat Variant Name]

Category trojan
Size 88064 B
Detection created Feb 20, 2014
Detection database version 9448
Aliases Trojan-Ransom.Win32.Blocker.dvof (Kaspersky)
Short description

Win32/LockScreen.BFL is a trojan that blocks access to the Windows operating system.

Installation

When executed, the trojan copies itself into the following location:

  • %system%\­usrinit.exe

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit" = "%system%\­Userinit.exe, %system%\­usrinit.exe"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "%system%\­usrinit.exe"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Userinit" = "%system%\­usrinit.exe"

This causes the trojan to be executed on every system start.

Payload information

After a certain time delay, the trojan blocks access to operating system.


To regain access to the operating system the user is asked to send information/certain amount of money via the Payment Kiosk payment service.


When the correct password is entered the trojan is deactivated.


The trojan displays the following dialog box:

Information stealing

The trojan collects the following information:

  • operating system version

The trojan attempts to send gathered information to a remote machine.


The trojan contains a URL address. The HTTP protocol is used in the communication.

Other information

The trojan can modify the following file:

  • %systemdrive%\­ntldr

The trojan may execute the following commands:

  • %system%\­cmd.exe /K "bcdedit /set bootems off"
  • %system%\­cmd.exe /K "bcdedit /set advancedoptions off"
  • %system%\­cmd.exe /K "bcdedit /set optionsedit off"
  • %system%\­cmd.exe /K "bcdedit /set bootstatuspolicy IgnoreAllFailures"
  • %system%\­cmd.exe /K "bcdedit /set recoveryenabled off"

Please enable Javascript to ensure correct displaying of this content and refresh this page.