The Latest in IT Security

New Windows locker changes system access passwords

13
Mar
2012

Doctor Web-a Russian developer of IT security software-has discovered a new Windows blocker program added to the virus database as Trojan.Winlock.5729. It uses standard Windows tools to block access to the system by changing local user passwords – the feature that distinguishes it from other programs of its kind.

Traditionally ransomware use a special application to replaces the Windows shell or userinit.exe, block access to the system and display ransom text. Simultaneously, malware usually monitor and block launching of various system utilities such as Task Manager, Command Prompt, Registry Editor, etc. Makers of Trojan.Winlock.5729 chose a completely different and simpler approach.

The Trojan horse code is spread with the Artmoney program used to adjust various parameters in computer games. In addition to the Artmoney, the installer also incorporates three files: the modified logonui.exe file named iogonui.exe (responsible for displaying Windows XP logon screen) and two self-extracting archives containing bat-files. Starting an infected installer executes the password_on.bat file. This file contains a set of commands that search the hard drive for the c:\users folder which is found under Windows Vista and Windows 7. If discovered, the harmful components are removed, if the folder is not found, the Trojan horse believes that it is running under Windows XP. In this case Trojan.Winlock.5729 modifies the system registry to replace the logonui.exe file with iogonui.exe, and changes the password for the current user Windows account and local users named admin, administrator, ????? and ?????????????. If the current user account has restricted permissions, the Trojan horse process ends. Another bat-file- password_off.bat-sets the original UIHost value in the registry.

The iogonui.exe file is a genuine logonui.exe file that comes with the Windows XP distribution but a resource editor was used to change the standard Windows welcome screen for a demand to send a paid SMS.

screen

Once the user logs off or reboots the system, they will not be able to log in as the passwords for all user accounts will have been changed.

screen

The Trojan horse’s signature is added to the Dr.Web virus databases. If your system has been blocked by the Trojan horse, you can manually change the value in the registry branch ? HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon for logonui.exe.

Leave a reply


Categories

FRIDAY, MARCH 29, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments