Win32/LockScreen [Threat Name] go to Threat
Win32/LockScreen.AFR [Threat Variant Name]
Category | trojan |
Size | 111616 B |
Aliases | Trojan.Win32.VBKrypt.crfg (Kaspersky) |
Trojan:Win32/Ransom.DI (Microsoft) | |
TROJ_RANSOM.INC (TrendMicro) |
Short description
Win32/LockScreen.AFR is a trojan that blocks access to the Windows operating system. To regain access to the operating system the user is asked to send information/certain amount of money via Ukash payment service. The file is run-time compressed using UPX .
Installation
The trojan does not create any copies of itself.
In order to be executed on every system start, the trojan sets the following Registry entries:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
- "Shell" = "%malwarefilepath%"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
- "Shell" = "%malwarefilepath%"
Other information
Win32/LockScreen.AFR is a trojan that blocks access to the Windows operating system.
The trojan displays the following dialog box:
To regain access to the operating system the user is asked to send information/certain amount of money via Ukash payment service.
The trojan terminates processes with any of the following strings in the name:
- taskmgr.exe
The trojan alters the behavior of the following processes:
- explorer.exe
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of URLs. The HTTP protocol is used.