Win32/LockScreen [Threat Name] go to Threat

Win32/LockScreen.JN [Threat Variant Name]

Category trojan
Size 300032 B
Detection created Jan 26, 2010
Detection database version 4807
Aliases Packed.Win32.Krap.ao (Kaspersky)
  Trojan.Winlock.591 (Dr.Web)
  Mal/FakeAV-AX (Sophos)
Short description

Win32/LockScreen.JN is a trojan that blocks access to the Windows operating system. To regain access to the operating system the user is asked to send an SMS message to a specified telephone number in exchange for a password. When the correct password is entered the trojan removes itself from the computer.

Installation

When executed, the trojan creates the following files:

  • %commonappdata%\­userlib.dll (120832 B)
  • %temp%\­der%variable%.tmp (294912 B)
  • %temp%\­der%variable%.cbt

A string with variable content is used instead of %variable% .


The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit" = "%system%\­userinit.exe",%temp%\­der%variable%.tmp"

This way the trojan ensures that the file is executed on every system start.


The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableTaskMgr" = 1
Other information

The trojan displays the following dialog box:

When the correct password is entered the trojan removes itself from the computer.


The password to regain access to the operating system is one of the following:

  • 3097

The trojan contains a list of (1) URLs. It can send various information about the infected computer. The HTTP protocol is used.


The trojan may create the following files:

  • %system%\­1.bat

Please enable Javascript to ensure correct displaying of this content and refresh this page.