Win32/LockScreen [Threat Name] go to Threat

Win32/LockScreen.QK [Threat Variant Name]

Category trojan
Size 353792 B
Detection created Mar 25, 2010
Detection database version 4975
Aliases TROJ_GEN.R29C3HD (TrendMicro)
Short description

Win32/LockScreen.QK is a trojan that blocks access to the Windows operating system. To regain access to the operating system the user is asked to send an SMS message to a specified telephone number. The text of the SMS is unique for each infected PC. After sending the SMS message, the trojan deactivates self (does not remove itself).

Installation

When executed, the trojan creates the following files:

  • %temp%\­FlashPlayerUpdate\­FlashPlayerUpdate.exe
  • %temp%\­FlashPlayerUpdate\­InstallParams.lst

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "%temp%\­FlashPlayerUpdate\­FlashPlayerUpdate.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Uninstall\­{219D65B1-AB02-4F4F-AF05-C123CB1D58E9}]
    • "DisplayIcon" = "%temp%\­FlashPlayerUpdate\­FlashPlayerUpdate.exe"
    • "DisplayName" = "Advertising-Modul Reklopay"
    • "UninstallString" = "%temp%\­FlashPlayerUpdate\­FlashPlayerUpdate.exe -uninstall"
Other information

Win32/LockScreen.QK is a trojan that blocks access to the Windows operating system.


To regain access to the operating system the user is asked to send an SMS message to a specified telephone number.


The text of the SMS is unique for each infected PC.


The trojan displays the following dialog box:

The trojan may display the following message:

After sending the SMS message, the trojan deactivates self (does not remove itself).


The trojan may create the following files:

  • %appdata%\­FlashPlayerUpdate\­FlashPlayerUpdate.ini
  • %temp%\­FlashPlayerUpdate\­sk.lst

The trojan interferes with the operation of some security applications to avoid detection.


The following services are disabled:

  • Automatic LiveUpdate Scheduler
  • ccEvtMgr
  • ccProxy
  • ccPwdSvc
  • ccSetMgr
  • CLTNetCnService
  • ISPwdSvc
  • LiveUpdate Notice
  • LiveUpdate
  • navapsvc
  • NPFMntor
  • NSCService
  • SAVScan
  • SBService
  • SNDSrvc
  • SPBBCSvc
  • Symantec Core LC
  • SymAppCore

The trojan may execute the following commands:

  • "net.exe" stop "Norton 360"

The following programs are terminated:

  • BearShare.exe
  • LimeWire.exe

The trojan connects to the following addresses:

  • http://yuotbne.com

The trojan can clear the contents of the clipboard.

Please enable Javascript to ensure correct displaying of this content and refresh this page.