Threat behavior
Trojan:Win32/Calelk.A is a trojan that gains control of the infected computer by locking the screen and preventing the user from using the computer. It then prompts the user to send an SMS to a premium number. Some variants may display adult images.
Installation
Upon execution, Trojan:Win32/Calelk.A copies itself as the following:
Â
- <system folder>\usrinit.exe
Â
It modifies the following registry entry to execute its copy at each Windows start:
Â
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Modifies value: "Userinit"
With data: "<system folder>\userinit.exe, <system folder>\usrinit.exe"
Payload
Locks computer
Trojan:Win32/Calelk.A locks the screen and displays text in Russian demanding that the user send an SMS to a premium number to receive an unlock code. Some variants may also display adult images with the text.
Â
Two examples of the text that Trojan:Win32/Calelk.A displays are as follows:
Â
Â
For this sample, a user can unlock the computer by entering the code: 773020547
Â
Â
A user can unlock the computer by entering the code: 5244000
Additional information
It is recommended that after using the unlock code, the computer be scanned using an antivirus program to remove the malware.
Â
Analysis by Marian Radu
Prevention
