My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to the news list

Trojan.Winlock.3846 threatens users worldwide

July 19, 2011

Trojan.Winlock outbreaks from which Russian users suffered at the end of 2009, in early 2010 and later in the summer the same year have long passed, but now this kind of malware tend to spread outside Russia. Doctor Web—a leading Russian developer of IT security software—warns users of new modifications of this Trojan horse, dubbed Trojan.Winlock.3846 that target computers all over the world. It is not an outbreak yet, but it is the second threat of this type discovered by Doctor Web's virus analysts in this month.

In Russia millions of users fell victims of the Trojan.Winlock malware. To date, the infection cases have begun to decline. In particular, the anti-blocker project at, as well as cooperation between Doctor Web and the leading Russian mobile operators became instrumental in infection prevention and neutralization. Meanwhile, the blocker Trojan horse problem is becoming an urgent one for people in other countries.

Unlike Trojan.Winlock.3794, the new extortionist modification adds its entry into the Windows registry branch
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\userinit, responsible for launching applications by the winlogon process as a user logs into the system. It blocks access to the operating system after the first subsequent reboot.


Instead of the standard Windows interface a user is displayed a message about a system process crash at 0x3BC3. To resolve the problem the user is offered to call a number from the list and enter their activation code in corresponding fields. Calling any of the numbers costs a certain amount of money.

This windows blocker modification has one distinguishing feature—it incorporates the blocking message in several languages for various Windows locales. The message is available at least in English, French and Russian.

To remove the blocking screen, use the following unlock code:


As before, Doctor Web strongly recommends users to refrain from launching applications downloaded from sites you don't trust and from opening e-mail attachments received from unknown senders. Be very careful when pop-ups offering to install various modules and plugins appear in the browser window while you are surfing the Internet. If your system has been compromised by Trojan.Winlock.3846, use the emergency restore tool Dr.Web LiveCD and Dr.Web CureIt utility.

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments