Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/LockScreen.DA is a trojan that blocks access to the Windows operating system. To regain access to the operating system the user is asked to send an SMS message to a specified telephone number in exchange for a password. When the correct password is entered the trojan removes itself from the computer.
Installation
When executed, the trojan copies itself into the following location:
  • %windir%\system32\Winlog.exe
The following Registry entries are set:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
    CurrentVersion\Winlogon]
    "Shell" = "winlog.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
    CurrentVersion\Winlogon]
    "Userinit" = "Userinit.exe, winlog.exe"
This causes the trojan to be executed on every system start.
Other information
The trojan displays the following dialog box:
When the correct password is entered the trojan removes itself from the computer.

Data for unblocking access to the operating system is stored in the following files:
  • %windir%\system32\pass
  • %windir%\system32\text
  • %windir%\system32\numb
If the files don't exist, the password to regain access to the operating system is one of the following:
  • Text6
The trojan executes the following command:
  • taskkill.exe /f /im explorer.exe
The following programs are terminated:
  • taskmgr.exe
The trojan may create the following files:
  • del.bat