Win32/LockScreen [Threat Name] go to Threat

Win32/LockScreen.AT [Threat Variant Name]

Category trojan,worm
Size 101376 B
Aliases Trojan-Ransom.Win32.SMSer.fn (Kaspersky)
  W32/Kelvir.worm.gen (McAfee)
  Trojan.Winlock.240 (Dr.Web)
Short description

Win32/LockScreen.AT is a worm that blocks access to the Windows operating system. To regain access to the operating system the user is asked to send an SMS message to a specified telephone number in exchange for a password. When the correct password is entered the worm is deactivated. The file is run-time compressed using ASPack .


When executed, the worm copies itself into the following location:

  • %system%\­user32.exe (101376 B)

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "%systemroot%\­system32\­user32.exe"

The following Registry entry is set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableTaskMgr" =  0

The worm copies itself into the root folders of the D:, E:, F:, G:, H:, I:, J:, K:, L:, M:, N: drives using the following name:

  • md.exe (101376 B)

The following file is dropped in the same folder:

  • autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The worm displays the following dialog box:

When the correct password is entered the worm is deactivated.

The password to regain access to the operating system is one of the following:

  • 381745019462

The worm launches the following processes:

  • cmd.exe /c taskkill /im rundll32.exe /f
  • cmd.exe /c taskkill /im sethc.exe /f
  • cmd.exe /c taskkill /im utilman.exe /f
  • cmd.exe /c taskkill /im narrator.exe /f
  • cmd.exe /c taskkill /im taskmgr.exe /f
  • cmd.exe /c taskkill /im regedit.exe /f

The worm creates the following files:

  • %appdata%\­Temp\­%variable%.tmp

A string with variable content is used instead of %variable% .

The worm may create copies of the following files (source, destination):

  • %windir%\­explorer.exe, %windir%\­Debug\­UserMode\­explorer.exe
  • %windir%\­explorer.exe, %windir%\­WinSxS\­Manifests\­
  • %system%\­reg.exe, %windir%\­Debug\­sys.exe

The worm contains a list of (2) URLs. It can send various information about the infected computer. The HTTP protocol is used.

Please enable Javascript to ensure correct displaying of this content and refresh this page.