July 19, 2011
In Russia millions of users fell victims of the Trojan.Winlock malware. To date, the infection cases have begun to decline. In particular, the anti-blocker project at www.drweb.com/unlocker, as well as cooperation between Doctor Web and the leading Russian mobile operators became instrumental in infection prevention and neutralization. Meanwhile, the blocker Trojan horse problem is becoming an urgent one for people in other countries.
Unlike Trojan.Winlock.3794, the new extortionist modification adds its entry into the Windows registry branch
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\userinit, responsible for launching applications by the winlogon process as a user logs into the system. It blocks access to the operating system after the first subsequent reboot.
Instead of the standard Windows interface a user is displayed a message about a system process crash at 0x3BC3. To resolve the problem the user is offered to call a number from the list and enter their activation code in corresponding fields. Calling any of the numbers costs a certain amount of money.
This windows blocker modification has one distinguishing feature—it incorporates the blocking message in several languages for various Windows locales. The message is available at least in English, French and Russian.
To remove the blocking screen, use the following unlock code:
754-896-324-589-742
As before, Doctor Web strongly recommends users to refrain from launching applications downloaded from sites you don't trust and from opening e-mail attachments received from unknown senders. Be very careful when pop-ups offering to install various modules and plugins appear in the browser window while you are surfing the Internet. If your system has been compromised by Trojan.Winlock.3846, use the emergency restore tool Dr.Web LiveCD and Dr.Web CureIt utility.
Tell us what you think
To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.
Other comments