MSIL/LockScreen [Threat Name] go to Threat

MSIL/LockScreen.A [Threat Variant Name]

Category trojan
Size 65536 B
Short description

MSIL/LockScreen.A is a trojan that blocks access to the Windows operating system. To regain access to the operating system the user is asked to send an SMS message to a specified telephone number in exchange for a password. When the correct password is entered the trojan is deactivated.

Installation

The trojan is probably a part of other malware.


The trojan does not create any copies of itself.


The trojan may create copies of the following files (source, destination):

  • c:\­windows\­down\­driver.exe, c:\­windows\­graphic\­driver.exe

The following files are deleted:

  • c:\­windows\­down\­driver.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "graphic" = "c:\­windows\­graphic\­driver.exe"
Other information

The trojan displays the following dialog box:

When the correct password is entered the trojan is deactivated.


The password to regain access to the operating system is one of the following:

  • kWPi

Some examples follow.

The trojan creates the following files:

  • c:\­windows\­graphic\­startdvr.dll
  • c:\­windows\­graphic\­starttim.dll

Trojan requires the Microsoft .NET Framework to run.

Please enable Javascript to ensure correct displaying of this content and refresh this page.