Home / malware Ransom:Win32/LockScreen.BO
First posted on 31 May 2014.
Source: MicrosoftAliases :
There are no other names known for Ransom:Win32/LockScreen.BO.
Explanation :
Threat behavior
Trojan:Win32/LockScreen.BO is a trojan that prevents the user from accessing the affected computer by locking the screen and preventing access to the desktop. It forces the user to buy an online voucher to send to a remote attacker in order to unlock the computer.
Installation
Trojan:Win32/LockScreen.BO may be installed in the %AppData% folder with a random file name. It modifies the system registry so that it automatically runs every time Windows starts:
In subkey: HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Sets value: "Shell"
With data: "%AppData%\.exe"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Sets value: "(Default)"
With data: "%AppData%\.exe"
It also drops the following clean file to assist in its payload:
%AppData%\\dwlgina3.dll
Payload
Locks the computer
When executed, Trojan:Win32/LockScreen.BO displays the following screen, which claims that pirated music has been found in the computer and therefore the computer is now locked because of this activity:
The screen claims that the Performance Rights Organization in Germany (GEMA) is the entity that has located pirated music. However, the screen is fake and is merely a scam to get money from the user.
Supposedly to unlock the computer, the user has to buy an online voucher and send it to a remote attacker. However, the computer does not actually get unlocked even if the user sends the voucher. If you are affected by this trojan, do not buy the voucher and send it to the details on the fake screen.
Lowers Internet security settings
Trojan:Win32/LockScreen.BO modifies the following Internet Explorer settings to enable Active Scripting:
In subkeys:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\
Sets value: "1400"
With data: "0"
Modifies system settings
Trojan:Win32/LockScreen.BO modifies certain system settings by changing the following registry entries:
Disables Task Manager:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableTaskMgr"
With data: "1"
Hides desktop icons such as Recycle Bin
, My Computer
, and My Network Places
:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "NoDesktop"
With data: "1"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "HideIcons"
With data: "1"
Additional information
Trojan:Win32/LockScreen.BO collects the following data, which it then sends to the server "gegate.net":
- Hard disk serial number
- Computer's IP address
- Windows version running on the affected computer
It then uses this information in the displayed fake screen. The screen is an HTML file located in the same server.
Analysis by Stefan Sellmer
Symptoms
System changes
The following system changes may indicate the presence of this malware:
- You see the following screen:
- You cannot access your desktop.
- You cannot enable Task Manager.
Last update 31 May 2014
