This threat blocks access to the Windows desktop and displays a message asking the user to send money to a mobile phone account.
It creates the following registry entry so that it automatically executes at the next Windows start:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "Explorer.exe "%USERPROFILE%\...\<malware file name>.exe""
Prevents desktop access
The threat displays the following message:
A rough translation of this text is as follows:
"Windows is locked. Microsoft Security has detected misuse of the Internet. Cause: You've watched videos containing certain adult content. To unlock Windows you should transfer <amount> roubles to mobile phone account <mobile number>. Please find the unlock code on the billing machine slip. Note: If not paid within 12 hours, all data including Windows and Bios will be destroyed."
The user is then prevented from accessing the computer desktop.
Analysis by Sergey Chernyshev
The following system changes may indicate the presence of this malware:
- The display of the following image: