Win32/LockScreen [Threat Name] go to Threat

Win32/LockScreen.BNN [Threat Variant Name]

Category trojan
Size 816776 B
Detection created Feb 11, 2016
Detection database version 13015
Aliases Trojan-Ransom.Win32.Agent.inu (Kaspersky)
  Trojan.Ransomlock.AN (Symantec)
  ScreenLocker.DED (AVG)
Short description

Win32/LockScreen.BNN is a trojan that blocks access to the Windows operating system. To regain access to the operating system the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

The trojan does not create any copies of itself.


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "SD" = "%malwarefilepath%"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "SD" = "%malwarefilepath%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "SD" = "%malwarefilepath%"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "SD" = "%malwarefilepath%"

The trojan schedules a task that causes the following file to be executed when a user logs in:

  • %malwarefilepath%
Information stealing

The trojan collects the following information:

  • information about the operating system and system settings
  • external IP address of the network device

The trojan attempts to send gathered information to a remote machine.

Other information

Win32/LockScreen.BNN is a trojan that blocks access to the Windows operating system.

To regain access to the operating system the user is asked to send information/certain amount of money via the OneVanilla Card, Bitcoin payment service.


The trojan blocks keyboard and mouse input.


The trojan launches the following processes:

  • %mymusic%\­Microsoft\­Windows\­Manifest\­tor.exe -f torrc

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­ThemeManager\­LocalBase]
    • "%variable1%" = "%variable2%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­ThemeManager]
    • "sd_ready" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­SystemCertificates\­AuthRoot\­Certificates\­D9065B55F1FF613ECCA839F70A14A3C40EDD7303]
    • "Blob" = %binvalue%
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­SystemCertificates\­AuthRoot\­Certificates\­D9065B55F1FF613ECCA839F70A14A3C40EDD7303]
    • "Blob" = %binvalue%
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableTaskMgr" = 1
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "HideSCAHealth" = 1
    • "NoDrives" = 1
    • "NoViewContextMenu" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsort\­Windows\­CurrentVersion\­Policies\­Associations]
    • "DefaultFileTypeRisk" = 24914
    • "LowRistFileTypes" = ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;"
    • "HideZoneInfoOnProperties" = 1
    • "SaveZoneInformation" = 2
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableChangePassword" = 1
    • "DisableLockWorkstation" = 1
    • "HideFastUserSwitching" = 1
    • "EnableLUA" = 0
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Winlogon]
    • "IgnoreShiftOverride" = 1
    • "AllowMultipleTSSessions" = 0
  • [HKEY_LOCAL_MACHINE\­Software\­Policies\­Microsoft\­Windows NT\­SystemRestore]
    • "DisableConfig" = 0

A string with variable content is used instead of %variable1-2% .


The trojan copies all subkeys and values from the following Registry key [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot] into [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBootCP] .


The original Registry subkeys and values from [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot] are then deleted.


The trojan may execute the following commands:

  • bcdedit /set {bootmgr} displaybootmenu off
  • bcdedit /set {current} bootstatuspolicy IgnoreAllFailures
  • bcdedit /set {current} recoveryenabled off
  • bcdedit /set {current} bootems off
  • bcdedit /set {current} advancedoptions off

The trojan hides windows of running processes which contain any of the following strings in their title:

  • Program Manager
  • Shell_TrayWnd
  • TrayNotifyWnd
  • TrayClockWClass
  • ToolbarWindow32
  • ReBarWindow32
  • MSTaskSwWClass
  • ToolbarWindow32
  • Progman
  • SHELLDLL_DefView

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of URLs. The HTTP, HTTPS, TOR protocol is used in the communication.


It may perform the following actions:

  • update itself to a newer version
  • lock/unlock access to the operating system
  • remove itself from the infected computer
  • send gathered information

Please enable Javascript to ensure correct displaying of this content and refresh this page.