Win32/LockScreen [Threat Name] go to Threat
Win32/LockScreen.AKR [Threat Variant Name]
Category | trojan |
Size | 116224 B |
Aliases | PWS-Zbot.gen.ut.trojan (McAfee) |
Trojan:Win32/Malagent (Microsoft) |
Short description
Win32/LockScreen.AKR is a trojan that blocks access to the Windows operating system.
Installation
When executed, the trojan copies itself into the following location:
- %appdata%\%variable%.exe
A string with variable content is used instead of %variable% .
The trojan creates the following file:
- %appdata%\kb.dll (3072 B, Win32/LockScreen.AKR)
Libraries with the following names are injected into all running processes:
- kb.dll
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "Leadership Technologies" = "%appdata%\%variable%.exe"
- "videoLAN Media Lab" = "%appdata%\%variable%.exe"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "Leadership Technologies" = "%appdata%\%variable%.exe"
- "videoLAN Media Lab" = "%appdata%\%variable%.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
- "Shell" = "%appdata%\%variable%.exe"
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
- "Shell" = "%appdata%\%variable%.exe"
The following Registry entries are set:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
- "1400" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
- "1400" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
- "1400" = 0
- "1601" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
- "DisableTaskMgr" = 1
- "DisableRegistryTools" = 1
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
- "NoDesktop" = 1
- "NoWinKeys" = 1
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
- "HideIcons" = 1
The trojan may delete the following Registry entries:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
- [HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\SafeBoot]
The following programs are terminated:
- explorer.exe
- taskmgr.exe
Other information
Win32/LockScreen.AKR is a trojan that blocks access to the Windows operating system.
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (3) URLs. The HTTP protocol is used.
The trojan displays the following dialog box:
To regain access to the operating system the user is asked to send information/certain amount of money via Paysafecard payment service.
The trojan blocks keyboard and mouse input.
The trojan checks for Internet connectivity by trying to connect to the following servers:
- www.ask.com
The trojan executes the following command:
- ipconfig /flushdns
- ipconfig /renew