Win32/LockScreen [Threat Name] go to Threat

Win32/LockScreen.AKX [Threat Variant Name]

Category trojan
Size 147814 B
Aliases Trojan.FaveAV.WA (BitDefender)
  VirTool:Win32/VBInject.gen!JD (Microsoft)
Short description

Win32/LockScreen.AKX is a trojan that blocks access to the Windows operating system.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­%variable%.exe

A string with variable content is used instead of %variable% .


The trojan creates the following file:

  • %appdata%\­########################.dll (3072 B, Win32/LockScreen.AKR)

Libraries with the following names are injected into all running processes:

  • ########################.dll

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "videoLAN Media Lab" = "%appdata%\­%variable%.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "videoLAN Media Lab" = "%appdata%\­%variable%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "%appdata%\­%variable%.exe"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "%appdata%\­%variable%.exe"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­0]
    • "1400" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­1]
    • "1400" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "1400" = 0
    • "1601" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableTaskMgr" = 1
    • "DisableRegistryTools" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "NoDesktop" = 1
    • "NoWinKeys" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "HideIcons" = 1

The trojan may delete the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­SafeBoot]
  • [HKEY_CURRENT_USER\­SYSTEM\­CurrentControlSet\­Control\­SafeBoot]

The following programs are terminated:

  • explorer.exe
  • taskmgr.exe
Other information

Win32/LockScreen.AKX is a trojan that blocks access to the Windows operating system.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) URLs. The HTTP protocol is used.


To regain access to the operating system the user is asked to send information/certain amount of money via Paysafecard payment service.


The trojan checks for Internet connectivity by trying to connect to the following servers:

  • www.ask.com

The trojan executes the following command:

  • ipconfig /flushdns
  • ipconfig /renew

The trojan blocks keyboard and mouse input.

Please enable Javascript to ensure correct displaying of this content and refresh this page.