Win32/LockScreen [Threat Name] go to Threat

Win32/LockScreen.AJQ [Threat Variant Name]

Category trojan
Size 41984 B
Detection created Jan 16, 2012
Detection database version 6801
Aliases Trojan:Win32/Sisron (Microsoft)
  Trojan.Winlock.4508 (Dr.Web)
Short description

Win32/LockScreen.AJQ is a trojan that blocks access to the Windows operating system. To regain access to the operating system the user is asked to send an SMS message to a specified telephone number in exchange for a password. The file is run-time compressed using UPX .

Installation

When executed the trojan copies itself in the following locations:

  • %mydocuments%\­%variable1%.exe
  • %windir%\­%variable2%.exe
  • %windir%\­Temp\­%variable3%.exe
  • %commonstartup%\­%variable4%.exe
  • %startup%\­%variable5%.exe

A string with variable content is used instead of %variable1-5% .


In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "AdobeUpdater" = "%mydocuments%\­%variable1%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "AdobeUpdater" = "%windir%\­Temp\­%variable3%.exe"

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­userinit.exe]
    • "Debugger" = "%windir%\­%variable2%.exe"
Other information

Win32/LockScreen.AJQ is a trojan that blocks access to the Windows operating system.


The trojan displays the following dialog box:

To regain access to the operating system the user is asked to send an SMS message to a specified telephone number in exchange for a password.


The trojan blocks keyboard and mouse input.


The trojan terminates any program that creates a window containing any of the following strings in its name:

  • Windows Task Manager

Please enable Javascript to ensure correct displaying of this content and refresh this page.