| Aliases: | Trojan-Ransom.Win32.VB.bw (Kaspersky), Gen:Trojan.Heur.om0@rny44Fliy (F-Secure) |
| Type of infiltration: | Trojan |
| Size: | 229376 B |
| Affected platforms: | Microsoft Windows |
| Signature database version: | 4589 (20091109) |
|
Short description
Win32/LockScreen.DA is a trojan that blocks access to the Windows operating system. To regain access to the operating system the user is asked to send an SMS message to a specified telephone number in exchange for a password. When the correct password is entered the trojan removes itself from the computer.
Installation
When executed, the trojan copies itself into the following location:
- %windir%\system32\Winlog.exe
The following Registry entries are set:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon]
"Shell" = "winlog.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon]
"Userinit" = "Userinit.exe, winlog.exe"
This causes the trojan to be executed on every system start.
Other information
The trojan displays the following dialog box:
When the correct password is entered the trojan removes itself from the computer.
Data for unblocking access to the operating system is stored in the following files:
- %windir%\system32\pass
- %windir%\system32\text
- %windir%\system32\numb
If the files don't exist, the password to regain access to the operating system is one of the following:
The trojan executes the following command:
- taskkill.exe /f /im explorer.exe
The following programs are terminated:
The trojan may create the following files:
