Win32/LockScreen [Threat Name] go to Threat

Win32/LockScreen.CZ [Threat Variant Name]

Category trojan
Size 333312 B
Aliases Trojan-Dropper.Win32.Smiscer.af (Kaspersky)
  Trojan.horse.Agent2.AEUN (AVG)
Short description

Win32/LockScreen.CZ is a trojan that blocks access to the Windows operating system. To regain access to the operating system the user is asked to send an SMS message to a specified telephone number in exchange for a password. When the correct password is entered the trojan removes itself from the computer.

Installation

When executed, the trojan creates the following files:

  • %temp%\­don%variable%.tmp
  • %temp%\­don%variable%.tda
  • %temp%\­don%variable%.tsh
  • %temp%\­a.bat
  • %cookies%\­userlib.dll
  • adel.bat

A string with variable content is used instead of %variable% .


In order to be executed on every system start, the modifies the following Registry key:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit" = "%system%\­userinit.exe, %temp%\­don%variable%.tmp"

After the installation is complete, the trojan deletes the original executable file.

Other information

The following Registry entries are created:

  • [HKEY_CURENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableTaskMgr" = 1

The trojan displays the following dialog box:

When the correct password is entered the trojan removes itself from the computer.


The password to regain access to the operating system is one of the following:

  • 1345496028

The trojan contains a list of 1 URLs.


It can send various information about the infected computer to an attacker.


The HTTP protocol is used.

Please enable Javascript to ensure correct displaying of this content and refresh this page.