SecurityHome.eu Trojan.Shadowlock.B

Home / malware PDF

Trojan.Shadowlock.B

First posted on 21 February 2014.
Source: Symantec
Aliases :
There are no other names known for Trojan.Shadowlock.B.
Explanation :
When the Trojan is executed, it creates the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"mshost" = "[DRIVE LETTER]:\[CURRENT DIRECTORY]\[TROJAN FILE NAME].exe"

The Trojan modifies the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\"CleanShutdown" = dword:00000000

The Trojan kills the following processes:
explorertaskmgrregeditcmdMsconfigrstruiSkype
The Trojan displays the following message and asks the user to complete a survey to allow them to download a file to unlock the computer:

Note: The Trojan does not actually lock the computer, it only kills the previously mentioned processes.
Last update 21 February 2014

TOP

Malware :

Backdoor.WinCE.Brador.A
WinCE.Dust.A
Backdoor:WinCE/PhoneCreeper.A
Dialer:WinCE/Terdial.A
Trojan:WinCE/Terdial

Last 20

Family:

Trojan.Shadowlock.B