Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/LockScreen.AJ is a trojan that blocks access to the Windows operating system. To regain access to the operating system the user is asked to send an SMS message to a specified telephone number in exchange for a password. When the correct password is entered the trojan is deactivated. The file is run-time compressed using UPX .
Installation
When executed, the trojan copies itself in the %appdata% folder using one of the following filenames:
  • dizjf.exe
  • pqkzm.exe
  • qawkj.exe
  • rnhai.exe
  • vxwcc.exe
  • yvvvd.exe
In order to be executed on every system start, the trojan sets the following Registry entry:
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run]
    "windll" = %appdata%\%filename%.exe
A string with variable content is used instead of %filename% .
Other information
The trojan displays the following dialog box:
When the correct password is entered the trojan is deactivated.

The password to regain access to the operating system is one of the following:
  • 2950203 (+79202950203)
  • 9484748 (+79209484748)
  • 1234567 (+79201234567)
  • 6372874 (+79206372874)
Note: The password is valid for the telephone number in brackets.

The trojan disables the following key combinations: ALT + F4 .

The trojan contains a list of (1) URLs. It can send various information about the infected computer. The HTTP protocol is used.