Win32/LockScreen [Threat Name] go to Threat

Win32/LockScreen.APR [Threat Variant Name]

Category trojan
Size 58880 B
Detection created Jan 13, 2013
Detection database version 8534
Aliases Trojan.Win32.Yakes.brjb (Kaspersky)
  PWS-Zbot.gen.atb.trojan (McAfee)
  VirTool:Win32/CeeInject.gen!HL (Microsoft)
Short description

Win32/LockScreen.APR is a trojan that blocks access to the Windows operating system. The file is run-time compressed using UPX .

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­skype.dat

The trojan creates the following file:

  • %appdata%\­skype.ini

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT-USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "explorer.exe, %appdata%\­skype.dat"

The trojan launches the following processes:

  • %malwarefilepath%
  • %system%\­svchost.exe

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe
  • %malwarefilepath%
  • %system%\­svchost.exe

The trojan hooks the following Windows APIs:

  • ZwClose (ntdll.dll)

The following programs are terminated:

  • taskmgr
Information stealing

The trojan collects the following information:

  • volume serial number
  • computer name
  • operating system version

The trojan can send the information to a remote machine.

Other information

Win32/LockScreen.APR is a trojan that blocks access to the Windows operating system.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) URLs. The HTTP protocol is used.


Some examples follow.

To regain access to the operating system the user is asked to send information/certain amount of money via PaysafeCard, Ukash payment service.


When the correct password is entered the trojan removes itself from the computer.

Please enable Javascript to ensure correct displaying of this content and refresh this page.