Win32/LockScreen [Threat Name] go to Threat

Win32/LockScreen.AJA [Threat Variant Name]

Category trojan
Size 87552 B
Aliases Trojan-Ransom.Win32.Blocker.bly (Kaspersky)
  Trojan:Win32/Ransom.FL (Microsoft)
  GenericFakeAlert.fz.trojan (McAfee)
Short description

Win32/LockScreen.AJA is a trojan that blocks access to the Windows operating system. To regain access to the operating system the user is asked to send a certain amount of money to a specific bank account in exchange for the password. When the correct password is entered the trojan removes itself from the computer. The file is run-time compressed using UPX .

Installation

The trojan creates copies of the following files (source, destination):

  • %windir%\­explorer.exe, %windir%\­twexx32.dll

The trojan copies itself to the following locations:

  • %windir%\­explorer.exe
  • %appdata%\­%rvariable1%.exe

The trojan creates the following files:

  • %appdata%\­%variable1%.dat

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable1%.exe" = "%appdata%\­%variable1%.exe"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "1406" = 0
    • "1400" = 0

The trojan may create the following files:

  • %temp%\­%variable2%.bat

A string with variable content is used instead of %variable1-2% .

Other information

Win32/LockScreen.AJA is a trojan that blocks access to the Windows operating system.


The trojan displays the following dialog box:

When the correct password is entered the trojan removes itself from the computer.


The following programs are terminated:

  • explorer.exe
  • taskmgr.exe
  • procexp.exe

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains an URL address. The HTTP protocol is used.

Please enable Javascript to ensure correct displaying of this content and refresh this page.