MSIL/LockScreen [Threat Name] go to Threat

MSIL/LockScreen.L [Threat Variant Name]

Category trojan
Size 1754992 B
Aliases Trojan-Ransom.MSIL.FakeInstaller.e (Kaspersky)
  Trojan:Win32/Ransom.CL (Microsoft)
  Trojan.ADH (Symantec)
Short description

MSIL/LockScreen.L is a trojan that blocks access to the Windows operating system.

Installation

When executed, the trojan creates the following files:

  • %windir%\­explorerr.exe (1153767 B, MSIL/LockScreen.L)
  • %userprofile%\­explorerr.exe (1153767 B, MSIL/LockScreen.L)
  • %windir%\­system32\­explorerr.exe (1153767 B, MSIL/LockScreen.L)

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "Explorerr.exe"

The following Registry entry is set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableTaskMgr" = "1"
Other information

MSIL/LockScreen.L is a trojan that blocks access to the Windows operating system.


The trojan displays the following dialog boxes:

To regain access to the operating system the user is asked to send information/certain amount of money via WebMoney payment service.


When the correct password is entered the trojan is deactivated.


The password to regain access to the operating system is one of the following:

  • 47394762
  • 1205167

The trojan may turn off the computer.


Trojan requires the Microsoft .NET Framework to run.

Please enable Javascript to ensure correct displaying of this content and refresh this page.