VirusW32/Lockscreen.LOA!tr
Analysis
- Upon execution, it drops the following files:
- undefinedAppDataundefined\[RandomFilename_1].exe : This file is also detected as W32/Lockscreen.LOA!tr.
- undefinedAppDataundefined\[RandomFilename_2].exe : This file detected as W32/Kryptik.BYA!tr.
- There are other data files dropped in the user's Application Data folder that are randomly named and do not have extension names. These files are non-malicious.
- The malware was observed to perform DNS queries to:
- www.smsdomoj.de
- ns23824.ovh.net
- aby.kaneza.com
- virtualspace.ru
- The following registry modifications are applied:
- HKEY_CURRENT_USER\Software\[RandomReg_1]
- [RandomReg_3] = [HexValues], e.g., hex:a1,49,3f,8d,6a,6f,6e,81,84,4a,c9,0b,2b,a2,ab,eb...
- HKEY_CURRENT_USER\Software\[RandomReg_2]
- [RandomReg_4] = [HexValues], e.g., hex:a1,49,3f,8d,6f,7c,72,91,d5,4a,c9,0b...
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- [RandomReg_1] = undefinedAppDataundefined\[RandomFilename_1].exe
- [RandomReg_2] = undefinedAppDataundefined\[RandomFilename_2].exe These registry entries enable the dropped files to be automatically executed every time the infected user logs on.
- HKEY_CURRENT_USER\Software\[RandomReg_1]
- The malware file uses the Word Document icon.
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| FortiClient | |
| FortiAPS | |
| FortiAPU | |
| FortiMail | |
| FortiSandbox | |
| FortiWeb | |
| Web Application Firewall | |
| FortiIsolator | |
| FortiDeceptor | |
| FortiEDR |