This threat blocks access to the Windows desktop and displays a message asking the user to send money to a mobile phone account.
It creates the following registry entry so that it automatically executes at the next Windows start:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "Explorer.exe "%USERPROFILE%\...\<malware file name>.exe""
Prevents desktop access
The threat displays the following message:
A rough translation of this text is as follows:
"Windows is locked. Microsoft Security has detected misuse of the Internet. Cause: You've watched videos containing certain adult content. To unlock Windows you should transfer <amount> roubles to mobile phone account <mobile number>. Please find the unlock code on the billing machine slip. Note: If not paid within 12 hours, all data including Windows and Bios will be destroyed."
The user is then prevented from accessing the computer desktop.
Analysis by Sergey Chernyshev