Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/LockScreen.AD is a trojan that blocks access to the Windows operating system. To regain access to the operating system the user is asked to send an SMS message to a specified telephone number in exchange for a password. When the correct password is entered the trojan removes itself from the computer. The file is run-time compressed using UPX .
Installation
When executed, the trojan copies itself in the %appdata% folder using one of the following filenames:
  • cmeto.exe
  • fkwwy.exe
  • frdog.exe
  • fxalh.exe
  • hmuvt.exe
more...
In order to be executed on every system start, the trojan sets the following Registry entry:
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run]
    "windll" = "%appdata%\%filename%.exe"
A string with variable content is used instead of %filename% .
Other information
The trojan displays the following dialog box:
When the correct password is entered the trojan removes itself from the computer.

The password to regain access to the operating system is one of the following:
  • 4939492 (+79204939492)
  • 2095498 (+79202095498)
  • 1234567 (+79201234567)
  • 1123456 (+79201123456)
Note: The password is valid for the telephone number in brackets.

The trojan disables the following key combinations: ALT + F4 .

The trojan contains a list of (1) URLs. It can send various information about the infected computer. The HTTP protocol is used.