Threat behavior
Trojan:Win32/Calelk.A is a trojan that gains control of the infected computer by locking the screen and preventing the user from using the computer. It then prompts the user to send an SMS to a premium number. Some variants may display adult images.
Installation
Upon execution, Trojan:Win32/Calelk.A copies itself as the following:
Ā
- <system folder>\usrinit.exe
Ā
It modifies the following registry entry to execute its copy at each Windows start:
Ā
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Modifies value: "Userinit"
With data: "<system folder>\userinit.exe, <system folder>\usrinit.exe"
Payload
Locks computer
Trojan:Win32/Calelk.A locks the screen and displays text in Russian demanding that the user send an SMS to a premium number to receive an unlock code. Some variants may also display adult images with the text.
Ā
Two examples of the text that Trojan:Win32/Calelk.A displays are as follows:
Ā
Ā
For this sample,Ā a user can unlock the computer by entering the code: 773020547
Ā
Ā
A user can unlock the computer by entering the code: 5244000
Additional information
It is recommended that after using the unlock code, the computer be scanned using an antivirus program to remove the malware.
Ā
Analysis by Marian Radu
Prevention
