Win32/LockScreen [Threat Name] go to Threat

Win32/LockScreen.ES [Threat Variant Name]

Category trojan
Size 173568 B
Aliases Trojan-Ransom.Win32.PornoBlocker.cw (Kaspersky)
  Trojan.Horse (Symantec)
  Trojan:Win32/Pornox.A!dll (Microsoft)
Short description

Win32/LockScreen.ES is a trojan that blocks access to the Windows operating system. To regain access to the operating system the user is asked to send an SMS message to a specified telephone number in exchange for a password. When the correct password is entered the trojan is deactivated. The file is run-time compressed using UPX .

Installation

When executed, the trojan creates the following files:

  • %temp%\­%variable1%.exe (42496 B)
  • %temp%\­%variable2%.exe (45056 B)
  • %temp%\­%variable3%.dll (463872 B)
  • %windir%\­Tasks\­SysteCheck.job

A string with variable content is used instead of %variable1-3% .


The trojan schedules a task that causes the following file to be executed repeatedly:

  • %temp%\­%variable2%.exe (45056 B)
Other information

The trojan displays the following dialog box:

When the correct password is entered the trojan is deactivated.


The trojan may create the following files:

  • %windir%\­xstopit

Please enable Javascript to ensure correct displaying of this content and refresh this page.