Win32/LockScreen [Threat Name] go to Threat
Win32/LockScreen.AQT [Threat Variant Name]
| Category | trojan |
| Size | 36632 B |
| Detection created | Feb 26, 2013 |
| Detection database version | 8051 |
| Aliases | Trojan-Downloader.Win32.Dofoil.plc (Kaspersky) |
| Trojan:Win32/Tobfy.S (Microsoft) | |
| Win32:Dofoil-CP (Avast) |
Short description
Win32/LockScreen.AQT is a trojan that blocks access to the Windows operating system. To regain access to the operating system the user is requested to comply with given conditions in exchange for a password/instructions.
Installation
When executed the trojan copies itself in the following locations:
- %commonappdata%\SystemRoot.exe
In order to be executed on every system start, the trojan sets the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "DisplaySwitch" = "%commonappdata%\SystemRoot.exe"
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "DisplaySwitch" = "%commonappdata%\SystemRoot.exe"
The trojan may delete the following Registry entries:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal]
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network]
The trojan may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
- "Shell" = "%commonappdata%\SystemRoot.exe"
- [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot]
- "AlternateShell" = "%commonappdata%\SystemRoot.exe"
The trojan creates and runs a new thread with its own program code within the following processes:
- svchost.exe
Other information
Win32/LockScreen.AQT is a trojan that blocks access to the Windows operating system.
To regain access to the operating system the user is requested to comply with given conditions in exchange for a password/instructions.
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (2) URLs. The HTTP protocol is used.
The performed action depends entirely on data the trojan receives from the Internet.
The following programs are terminated:
- taskmgr.exe
- cmd.exe
- regedit.exe
- OllyDBG.exe
- SystemExplorer.exe
- a2cmd.exe
- start.exe
- msconfig.exe
- iexplore.exe
- rstrui.exe
- firefox.exe
- chrome.exe
- opera.exe
- safari.exe
The trojan terminates any program that creates a window containing any of the following strings in its name:
- Program Manager