Win32/LockScreen [Threat Name] go to Threat
Win32/LockScreen.APR [Threat Variant Name]
|Detection created||Jan 13, 2013|
|Signature database version||8534|
Win32/LockScreen.APR is a trojan that blocks access to the Windows operating system. The file is run-time compressed using UPX .
When executed, the trojan copies itself into the following location:
The trojan creates the following file:
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT-USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
- "Shell" = "explorer.exe, %appdata%\skype.dat"
The trojan launches the following processes:
The trojan creates and runs a new thread with its own program code within the following processes:
The trojan hooks the following Windows APIs:
- ZwClose (ntdll.dll)
The following programs are terminated:
The trojan collects the following information:
- volume serial number
- computer name
- operating system version
The trojan can send the information to a remote machine.
Win32/LockScreen.APR is a trojan that blocks access to the Windows operating system.
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (2) URLs. The HTTP protocol is used.
Some examples follow.
To regain access to the operating system the user is asked to send information/certain amount of money via PaysafeCard, Ukash payment service.
When the correct password is entered the trojan removes itself from the computer.