Threat Encyclopedia

Home > Threat Center > Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

O
P
Q
R
S
T
U
V
W
X
Y
Z
Glossary

Short description

Win32/LockScreen.A is a trojan that blocks access to the Windows operating system. To regain access to the operating system the user is asked to send an SMS message to a specified telephone number in exchange for a password. When the correct password is entered the trojan removes itself from the computer.

Installation

When executed, the trojan copies itself into the following location:

%temp%\sysstem.exe (50176 B)

In order to be executed on every system start, the trojan sets the following Registry entries:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"sysman" = "%temp%\sysstem.exe"
"wincfg" = "%filepath%"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run]
"sysman" = "%temp%\sysstem.exe"

The following Registry entries are set:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon]
"AutoRestartShell" = 0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Policies\System]
"DisableTaskMgr" = 1
"DisableRegistryTools" = 1

Other information

The trojan displays the following dialog box:

When the correct password is entered the trojan removes itself from the computer.

The password to regain access to the operating system is one of the following:

imufather
himydarling

All Products:

Cart About ESET Partners United States and Canada

© 2012 ESET North America. All rights reserved. Trademarks used herein are trademarks or registered trademarks of ESET spol. s r.o. or ESET North America.
All other names and brands are registered trademarks of their respective companies.