Selected viruses, spyware, and other threats: sorted alphabetically
Short descriptionWin32/LockScreen.AT is a worm that blocks access to the Windows operating system. To regain access to the operating system the user is asked to send an SMS message to a specified telephone number in exchange for a password. When the correct password is entered the worm is deactivated. The file is run-time compressed using ASPack .
InstallationWhen executed, the worm copies itself into the following location:
In order to be executed on every system start, the worm sets the following Registry entry:
- %system%\user32.exe (101376 B)
The following Registry entry is set:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
"Shell" = "%systemroot%\system32\user32.exe"
"DisableTaskMgr" = 0
SpreadingThe worm copies itself into the root folders of the following drives D:, E:, F:, G:, H:, I:, J:, K:, L:, M:, N: using the following name:
The following file is dropped in the same folder:
- md.exe (101376 B)
Thus, the worm ensures it is started each time infected media is inserted into the computer.
Other informationThe worm displays the following dialog box:
The password to regain access to the operating system is one of the following:
The worm launches the following processes:
The worm creates the following files:
- cmd.exe /c taskkill /im rundll32.exe /f
- cmd.exe /c taskkill /im sethc.exe /f
- cmd.exe /c taskkill /im utilman.exe /f
- cmd.exe /c taskkill /im narrator.exe /f
- cmd.exe /c taskkill /im taskmgr.exe /f
- cmd.exe /c taskkill /im regedit.exe /f
A string with variable content is used instead of %variable% .
The worm may create copies of the following files (source, destination):
The worm contains a list of (2) URLs. It can send various information about the infected computer. The HTTP protocol is used.
- %windir%\explorer.exe, %windir%\Debug\UserMode\explorer.exe
- %windir%\explorer.exe, %windir%\WinSxS\Manifests\
- %system%\reg.exe, %windir%\Debug\sys.exe