Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/AutoRun.LockScreen.A.Gen is a worm that blocks access to the Windows operating system. To regain access to the operating system the user is asked to send an SMS message to a specified telephone number in exchange for a password. When the correct password is entered the worm is deactivated.
Installation
When executed, the worm copies itself into the following location:
  • %system%\user32.exe (72192 B)
In order to be executed on every system start, the worm sets the following Registry entry:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
    CurrentVersion\Winlogon]
    "Shell" = "%systemroot%\system32\user32.exe"
The following Registry entry is set:
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Policies\System]
    "DisableTaskMgr" = 0
Spreading
The worm copies itself into the root folders of the following drives D:, E:, F:, G:, H:, I:, J:, K:, L:, M:, N: using the following name:
  • md.exe (72192 B)
The following file is dropped in the same folder:
  • autorun.inf
Thus, the worm ensures it is started each time infected media is inserted into the computer.
Other information
The worm displays the following dialog box:
When the correct password is entered the worm is deactivated.

The password to regain access to the operating system is one of the following:
  • 5748839
The worm launches the following processes:
  • cmd.exe /c taskkill /im rundll32.exe /f
  • cmd.exe /c taskkill /im sethc.exe /f
  • cmd.exe /c taskkill /im utilman.exe /f
  • cmd.exe /c taskkill /im narrator.exe /f
  • cmd.exe /c taskkill /im taskmgr.exe /f
  • cmd.exe /c taskkill /im regedit.exe /f
The worm creates the following files:
  • %appdata%\Temp\%variable%.tmp
A string with variable content is used instead of %variable% .

The worm may create copies of the following files (source, destination):
  • %windir%\explorer.exe, %windir%\Debug\UserMode\explorer.exe
  • %windir%\explorer.exe, %windir%\WinSxS\Manifests\
    x86_Microsoft.Windows.SystemCompatible_9c61n8ss4610a7b6_6.0.0.0_x
    -ww_fc371b0b.cat
  • %system%\reg.exe, %windir%\Debug\sys.exe
The worm contains a list of (2) URLs. It can send various information about the infected computer. The HTTP protocol is used.