Win32/LockScreen [Threat Name] go to Threat

Win32/LockScreen.QL [Threat Variant Name]

Category trojan
Size 718336 B
Detection created Mar 25, 2010
Detection database version 4975
Aliases AdWare.Win32.RekloPay.f (Kaspersky)
  TROJ_GEN.R29C3G4 (TrendMicro)
Short description

Win32/LockScreen.QL is a trojan that blocks access to the Windows operating system. To regain access to the operating system the user is asked to send an SMS message to a specified telephone number. The text of the SMS is unique for each infected PC. After sending the SMS message, the trojan deactivates self (does not remove itself).

Installation

The trojan does not create any copies of itself.


The trojan creates the following file:

  • %startup%\­rklp.lnk

The file is a shortcut to a malicious file.


This causes the trojan to be executed on every system start.

Other information

Win32/LockScreen.QL is a trojan that blocks access to the Windows operating system.


To regain access to the operating system the user is asked to send an SMS message to a specified telephone number.


After sending the SMS message, the trojan deactivates self (does not remove itself).


The text of the SMS is unique for each infected PC.


The trojan displays the following dialog boxes:

The trojan may create the following files:

  • %malwarefolder%\­InstallParams.lst
  • %malwarefolder%\­sk.lst
  • %appdata%\­rklp\­rklp.ini

The trojan connects to the following addresses:

  • http://reklopay.ru
  • http://antivirus360.ru

The trojan can download and execute a file from the Internet.


The file is stored in the following location:

  • %temp%\­setup_%variable%.exe

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.