TrojanDropper:Win32/Wlock.A is a trojan that prevents the affected user from using their computer, and displays a pornographic image. The affected user is then instructed to send an SMS to a specified number in order to unlock their computer and remove the image.
Installation
When executed, the trojan drops the following files under C:\Documents and Settings\Administrator\wlock:
TrojanDropper:Win32/Wlock.A also creates the following mutex to ensure that only one instance of itself runs at any time:
"{E4C8EA9B-C05F-46F9-A021-7DA1FB1C6454}"
The trojan makes the following changes to the registry in order to ensure that the trojan copy runs at each Windows start:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: cmd
With data: c:\Malware\Malware.dat.exe
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: Userinit
With data: <system folder>\userinit.exe,C:\Documents and Settings\Administrator\wlock\wlock.exe
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Payload
Displays adult images/locks computer
TrojanDropper:Win32/Wlock.A displays a pornographic image and denies the affected user regular access to their computer. The affected user is then instructed to send an SMS to a specified premium-charge number in order to unlock their computer and remove the image.
Forces shutdown
The trojan forces the computer to shutdown and reboot by launching the following file:
<system folder>\shutdown.exe
Analysis by Jaime Wong
