OREANDA-NEWS. July 22, 2011. Trojan.Winlock outbreaks from which Russian users suffered at the end of 2009, in early 2010 and later in the summer the same year have long passed, but now this kind of malware tend to spread outside Russia. Doctor Web—a leading Russian developer of IT security software—warns users of new modifications of this Trojan horse, dubbed Trojan.Winlock.3846 that target computers all over the world. It is not an outbreak yet, but it is the second threat of this type discovered by Doctor Web's virus analysts in this month.

In Russia millions of users fell victims of the Trojan.Winlock malware. To date, the infection cases have begun to decline. In particular, the anti-blocker project at www.drweb.com/unlocker, as well as cooperation between Doctor Web and the leading Russian mobile operators became instrumental in infection prevention and neutralization. Meanwhile, the blocker Trojan horse problem is becoming an urgent one for people in other countries.

Unlike Trojan.Winlock.3794, the new extortionist modification adds its entry into the Windows registry branch

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\userinit, responsible for launching applications by the winlogon process as a user logs into the system. It blocks access to the operating system after the first subsequent reboot.

Instead of the standard Windows interface a user is displayed a message about a system process crash at 0x3BC3. To resolve the problem the user is offered to call a number from the list and enter their activation code in corresponding fields. Calling any of the numbers costs a certain amount of money.

This windows blocker modification has one distinguishing feature—it incorporates the blocking message in several languages for various Windows locales. The message is available at least in English, French and Russian.

To remove the blocking screen, use the following unlock code:

754-896-324-589-742

As before, Doctor Web strongly recommends users to refrain from launching applications downloaded from sites you don't trust and from opening e-mail attachments received from unknown senders. Be very careful when pop-ups offering to install various modules and plugins appear in the browser window while you are surfing the Internet. If your system has been compromised by Trojan.Winlock.3846, use the emergency restore tool Dr.Web LiveCD and Dr.Web CureIt utility.