Selected viruses, spyware, and other threats: sorted alphabetically
Short description
Win32/AutoRun.LockScreen.A.Gen is a worm that blocks access to the Windows operating system. To regain access to the operating system the user is asked to send an SMS message to a specified telephone number in exchange for a password. When the correct password is entered the worm is deactivated. Installation
When executed, the worm copies itself into the following location: - %system%\user32.exe (72192 B)
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon]
"Shell" = "%systemroot%\system32\user32.exe"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Policies\System]
"DisableTaskMgr" = 0
Spreading
The worm copies itself into the root folders of the following drives D:, E:, F:, G:, H:, I:, J:, K:, L:, M:, N: using the following name: - md.exe (72192 B)
- autorun.inf
Other information
The worm displays the following dialog box: 
The password to regain access to the operating system is one of the following:
- 5748839
- cmd.exe /c taskkill /im rundll32.exe /f
- cmd.exe /c taskkill /im sethc.exe /f
- cmd.exe /c taskkill /im utilman.exe /f
- cmd.exe /c taskkill /im narrator.exe /f
- cmd.exe /c taskkill /im taskmgr.exe /f
- cmd.exe /c taskkill /im regedit.exe /f
- %appdata%\Temp\%variable%.tmp
The worm may create copies of the following files (source, destination):
- %windir%\explorer.exe, %windir%\Debug\UserMode\explorer.exe
- %windir%\explorer.exe, %windir%\WinSxS\Manifests\
x86_Microsoft.Windows.SystemCompatible_9c61n8ss4610a7b6_6.0.0.0_x
-ww_fc371b0b.cat - %system%\reg.exe, %windir%\Debug\sys.exe
