sobota 25. února 2012

Trojan:Win32/LockScreen.BO


Encyclopedia entry
Updated: Dec 16, 2011  |  Published: Dec 05, 2011

Aliases
Not available

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.121.332.0
Released: Feb 24, 2012
Detection initially created:
Definition: 1.117.389.0
Released: Dec 05, 2011


 

Summary

Trojan:Win32/LockScreen.BO is a trojan that prevents the user from accessing the affected computer by locking the screen and preventing access to the desktop. It forces the user to buy an online voucher to send to a remote attacker in order to unlock the computer.


 

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • You see the following screen:
  • You cannot access your desktop.
  • You cannot enable Task Manager.


 

Technical Information (Analysis)

Trojan:Win32/LockScreen.BO is a trojan that prevents the user from accessing the affected computer by locking the screen and preventing access to the desktop. It forces the user to buy an online voucher to send to a remote attacker in order to unlock the computer.
Installation
Trojan:Win32/LockScreen.BO may be installed in the %AppData% folder with a random file name. It modifies the system registry so that it automatically runs every time Windows starts:
In subkey: HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Sets value: "Shell"
With data: "%AppData%\<malware file name>.exe"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Sets value: "(Default)"
With data: "%AppData%\<malware file name>.exe"
It also drops the following clean file to assist in its payload:
%AppData%\<random folder>\dwlgina3.dll
Payload
Locks the computer
When executed, Trojan:Win32/LockScreen.BO displays the following screen, which claims that pirated music has been found in the computer and therefore the computer is now locked because of this activity:
The screen claims that the Performance Rights Organization in Germany (GEMA) is the entity that has located pirated music. However, the screen is fake and is merely a scam to get money from the user.
Supposedly to unlock the computer, the user has to buy an online voucher and send it to a remote attacker. However, the computer does not actually get unlocked even if the user sends the voucher. If you are affected by this trojan, do not buy the voucher and send it to the details on the fake screen.
Lowers Internet security settings
Trojan:Win32/LockScreen.BO modifies the following Internet Explorer settings to enable Active Scripting:
In subkeys:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\
Sets value: "1400"
With data: "0"
Modifies system settings
Trojan:Win32/LockScreen.BO modifies certain system settings by changing the following registry entries:
Disables Task Manager:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableTaskMgr"
With data: "1"
Hides desktop icons such as Recycle BinMy Computer, and My Network Places:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "NoDesktop"
With data: "1"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "HideIcons"
With data: "1"
Additional information
Trojan:Win32/LockScreen.BO collects the following data, which it then sends to the server "ge<removed>gate.net":
  • Hard disk serial number
  • Computer's IP address
  • Windows version running on the affected computer
It then uses this information in the displayed fake screen. The screen is an HTML file located in the same server.
Analysis by Stefan Sellmer

Žádné komentáře:

Okomentovat

Poznámka: Komentáře mohou přidávat pouze členové tohoto blogu.