This threat might arrive on your PC with a random file name. When run, it changes its file attributes to hidden. It also creates a registry entry so that it automatically runs every time Windows starts.
Disables drivers and services
The threat disables devices, services, and drivers if your PC starts in Safe Mode and Safe Mode with Networking. It does this by renaming the following registry key:
- renamed to HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\M
- renamed to HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\N
Blocks PC access
It prevents you from accessing your desktop by showing an image across your screen. The image contains instructions to send an SMS to a premium number so that you can regain access to your PC. The image might look like this:
It also stops EXPLORER.EXE and TASKMGR.EXE and disables mouse control.
Analysis by Zarestel Ferrer
The following could indicate that you have this threat on your PC:
- Your desktop might have been replaced with the following image:
- You might not be able to use your mouse.