Home / malware Trojan:Win32/Adslock.A
First posted on 06 September 2011.
Source: SecurityHomeAliases :
There are no other names known for Trojan:Win32/Adslock.A.
Explanation :
Trojan:Win32/Adslock.A is a malicious program designed to lock the desktop to force the user to complete an offer which supposedly unlocks the screen.
Top
Trojan:Win32/Adslock.A is a malicious program designed to lock the desktop to force the user to complete an offer which supposedly unlocks the screen.
Installation
When executed, Trojan:Win32/Adslock.A copies itself in the Windows startup folder so that it automatically runs whenever a user logs on or Windows starts.
Payload
Performs desktop changes
When executed, Trojan:Win32/Adslock.A disables the Task Manager as well as hides the system taskbar.
It also attempts to lock the desktop and displays a request to complete an offer to unlock the screen:
Behind the "Offer Window", Trojan:Win32/Adslock.A initates an HTTP request to the following page:
- watchhow.<removed>yi.am/lock/#1#1#0#YouAre<removed>jile#1#
The server responds with a message saying "You are Locked", and displays unwanted images that may imply that the user is viewing inappropriate content:
The message implies that the user can complete any of the two offers. This often leads to fraudalent promotions that claim the user has won an award:
However, the user requires an email address and Personal Identifiable Information (PII) to claim the prize:
Displays advertisements
Trojan:Win32/Adslock.A connects to the following servers, which are known to serve advertisements:
Additional information
- theabc<removed>photo.com
- wegetpaid.net
Trojan:Win32/Adslock.A is generated by a builder, which is detected as Constructor:Win32/Adslock.A.
Analysis by Methusela Cebrian Ferrer
Last update 06 September 2011
