Win32/LockScreen [Threat Name] go to Threat

Win32/LockScreen.P [Threat Variant Name]

Category trojan
Size 163840 B
Detection created Jun 03, 2009
Detection database version 4127
Aliases Backdoor.Win32.Agent.agvr (Kaspersky)
  Trojan.Horse (Symantec)
  Generic.BackDoor!bg (McAfee)
Short description

Win32/LockScreen.P is a trojan that blocks access to the Windows operating system. To regain access to the operating system the user is asked to send an SMS message to a specified telephone number in exchange for a password. When the correct password is entered the trojan removes itself from the computer.

Installation

When executed, the trojan copies itself into the following location:

  • %system%\­w4ssl.exe (163840 B)

The trojan creates the following files:

  • %system%\­hk.dll (7168 B)
  • %system%\­sysinit.exe (24576 B)
  • %system%\­pdctrl32.sys (3200 B)
  • %temp%\­delself.bat

The trojan modifies the following file:

  • %system%\­userinit.exe

Installs the following system drivers:

  • %system%\­pdctrl32.sys (3200 B)

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_WINLOGONHIDER\­0000\­Control]
    • "*NewlyCreated*" = 0
    • "ActiveService" = "WinLogonHider"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_WINLOGONHIDER\­0000]
    • "Service = "WinLogonHider"
    • "Legacy" = 1
    • "ConfigFlags" = 0
    • "Class" = "LegacyDriver"
    • "ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    • "DeviceDesc" = "WinLogonHider"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_WINLOGONHIDER]
    • "NextInstance" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­WinLogonHider\­Enum]
    • "0" = "Root\­LEGACY_WINLOGONHIDER\­0000"
    • "Count" = 1
    • "NextInstance" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­WinLogonHider\­Security]
    • "Security" = %hex_value%
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­WinLogonHider]
    • "Type" = 1
    • "Start" = 3
    • "ErrorControl" = 1
    • "ImagePath" = "%system%\­pdctrl32.sys"
    • "DisplayName" = "WinLogonHider"
Other information

The trojan displays the following dialog box:

When the correct password is entered the trojan removes itself from the computer.


The password to regain access to the operating system is one of the following:

  • user7645

Some examples follow.


Example [1.] :

Example [2.] :

Please enable Javascript to ensure correct displaying of this content and refresh this page.