Home / malware Trojan:Win32/Loktrom.B
First posted on 16 January 2013.
Source: MicrosoftAliases :
Trojan:Win32/Loktrom.B is also known as Spyware/Win32.Zbot (AhnLab), TR/Ransom.EZ.577 (Avira), Trojan.Ransomlock!g33 (Symantec), Trojan.Winlock.6049 (Dr.Web), Trojan-Dropper.Win32.Dapato (Ikarus), Trojan-Ransom.Win32.Gimemo.attq (Kaspersky).
Explanation :
Trojan:Win32/Loktrom.B may be installed on your computer by other malware, or it may arrive on your computer via a drive-by download
Installation
When run, Trojan:Win32/Loktrom.B modifies the following registry entries to ensure its copy runs at each Windows start:
In subkey: HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "<malware file name>"
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "explorer"
With data: "<malware file name>"
We have also observed the trojan setting the value as a random string, as in the following example:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random name>", for example "S1249087"
With data: "<malware file name>"
Payload
Prevents you from accessing your desktop
Trojan:Win32/Loktrom.B displays a full-screen message that covers all other windows, rendering your computer unusable (this full-screen message is also known as a "lock screen"). It is a fake warning pretending to be from a legitimate institution which claims an association with Windows and Microsoft Security Essentials. This is untrue and is another method the trojan's authors are employing to make the threat seem legitimate.
The message states that illegal activity has been detected on your computer and that you must send a payment to a mobile phone account to regain access.
Paying the "fine" will not necessarily return your computer to a usable state, so this is not advisable.
The screen may appear similar to the following:
Terminates processes
Trojan:Win32/Loktrom.B terminates the "explorer.exe" process by running the following command:
taskkill /F /IM explorer.exe
Analysis by Wei Li
Last update 16 January 2013
