Threat behavior
Trojan:Win32/Calelk.C is a trojan that prevents the affected user from using their computer, and displays a pornographic image. The affected user is then instructed to send an SMS to a specified number in order to unlock their computer and remove the image.
Installation
When executed, Trojan:Win32/Calelk.C copies itself to the following location:
c:\documents and settings\administrator\local settings\temp\tempsys.exe
It modifies the following registry entry in order to ensure that the trojan runs at each Windows login:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value "Userinit"
With data: "<system folder>\userinit.exe,c:\docume~1\admini~1\locals~1\temp\tempsys.exe"
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Payload
Displays adult image/locks computer
Trojan:Win32/Calelk.C displays a pornographic image and denies the affected user regular access to their computer. The affected user is then instructed to send an SMS to a specified premium-charge number in order to unlock their computer and remove the image.
Additional information
Trojan:Win32/Calelk.C makes the following additional registry modifications in order to store data for its own use:
In subkey: HKCU\Console
Sets value: "WuzHere"
With data: "1"
Sets value:"ConsoleSelfCount"
With data: "004245168739"
Sets value: "ConsoleSize2"
With data: "004245168739"
Analysis by Jaime Wong
Prevention
