Win32/LockScreen [Threat Name] go to Threat

Win32/LockScreen.AGM [Threat Variant Name]

Category trojan
Size 93184 B
Detection created Apr 19, 2011
Detection database version 6054
Aliases Trojan-Ransom.Win32.Timer.gyg (Kaspersky)
  Trojan:Win32/Ransom.DN (Microsoft)
Short description

Win32/LockScreen.AGM is a trojan that blocks access to the Windows operating system. To regain access to the operating system the user is asked to send a certain amount of money to a specific bank account in exchange for the password. When the correct password is entered the trojan removes itself from the computer.

Installation

When executed, the trojan copies itself into the following location:

  • %userprofile%\­844610680.exe

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit" = "%system\­userinit.exe, %userprofile%\­844610680.exe"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "844610680" = "%userprofile%\­844610680.exe"

This way the trojan ensures that the file is executed on every system start.


After the installation is complete, the trojan deletes the original executable file.

Other information

The trojan displays the following dialog box:

When the correct password is entered the trojan removes itself from the computer.


The password to regain access to the operating system is one of the following:

  • FISHKI

The trojan blocks keyboard and mouse input.


The following programs are terminated:

  • taskmgr.exe

The trojan may perform operating system restart.


The trojan may create the following files:

  • %temp%\­%variable%.tmp
  • %userprofile%\­r

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.