Win32/LockScreen [Threat Name] go to Threat

Win32/LockScreen.DA [Threat Variant Name]

Category trojan
Size 229376 B
Detection created Nov 09, 2009
Detection database version 4589
Aliases Trojan-Ransom.Win32.VB.bw (Kaspersky)
  Gen:Trojan.Heur.om0@rny44Fliy (F-Secure)
Short description

Win32/LockScreen.DA is a trojan that blocks access to the Windows operating system. To regain access to the operating system the user is asked to send an SMS message to a specified telephone number in exchange for a password. When the correct password is entered the trojan removes itself from the computer.

Installation

When executed, the trojan copies itself into the following location:

  • %windir%\­system32\­Winlog.exe

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "winlog.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit" =  "Userinit.exe, winlog.exe"

This causes the trojan to be executed on every system start.

Other information

The trojan displays the following dialog box:

When the correct password is entered the trojan removes itself from the computer.


Data for unblocking access to the operating system is stored in the following files:

  • %windir%\­system32\­pass
  • %windir%\­system32\­text
  • %windir%\­system32\­numb

If the files don't exist, the password to regain access to the operating system is one of the following:

  • Text6

The trojan executes the following command:

  • taskkill.exe /f /im explorer.exe

The following programs are terminated:

  • taskmgr.exe

The trojan may create the following files:

  • del.bat

Please enable Javascript to ensure correct displaying of this content and refresh this page.