Virus

W32/Lockscreen.LOA!tr

Analysis


  • Upon execution, it drops the following files:
    • undefinedAppDataundefined\[RandomFilename_1].exe : This file is also detected as W32/Lockscreen.LOA!tr.
    • undefinedAppDataundefined\[RandomFilename_2].exe : This file detected as W32/Kryptik.BYA!tr.
    • There are other data files dropped in the user's Application Data folder that are randomly named and do not have extension names. These files are non-malicious.

  • The malware was observed to perform DNS queries to:
    • www.smsdomoj.de
    • ns23824.ovh.net
    • aby.kaneza.com
    • virtualspace.ru

  • The following registry modifications are applied:
    • HKEY_CURRENT_USER\Software\[RandomReg_1]
      • [RandomReg_3] = [HexValues], e.g., hex:a1,49,3f,8d,6a,6f,6e,81,84,4a,c9,0b,2b,a2,ab,eb...

    • HKEY_CURRENT_USER\Software\[RandomReg_2]
      • [RandomReg_4] = [HexValues], e.g., hex:a1,49,3f,8d,6f,7c,72,91,d5,4a,c9,0b...

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
      • [RandomReg_1] = undefinedAppDataundefined\[RandomFilename_1].exe
      • [RandomReg_2] = undefinedAppDataundefined\[RandomFilename_2].exe
      •   These registry entries enable the dropped files to be automatically executed every time the infected user logs on.

  • The malware file uses the Word Document icon.

Recommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.