Content

Conlock

Type
Trojan
SubType
-
Discovery Date
11/15/2001
Length
65,536 bytes
Minimum DAT
4172 (11/21/2001)
Updated DAT
4778 (06/06/2006)
Minimum Engine
5.1.00
Description Added
01/15/2002
Description Modified
01/15/2002 12:18 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This trojan prevents keyboard and mouse input, and configures itself to run whenever the system is loaded and/or .TXT files are opened. It poses as a Winamp MP3 file.

When run, the trojan plays a MIDI file and displays a full screen image containing foreign text. Mouse movement and keystrokes are no longer effective as long as the trojan is in memory. The trojan copies itself to the WINDOWS SYSTEM directory as NOT.EXE and CONLOCK.EXE. A registry key is created to load the program at startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run\conlock.exe=CONLOCK.EXE
Another registry key is created to load the program whenever .TXT files are opened.
  • HKEY_CLASSES_ROOT\txtfile\shell\open\command\
    (Default)=NOT.exe %1
An additional registry is created to disable registry editor tools, such as REGEDIT.EXE:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Policies\System\DisableRegistryTools=1

Symptoms

- Presence of CONLOCK.EXE and NOT.EXE in the WINDOWS SYSTEM directory
- Full screen image containing foreign characters blocks view of desktop

Method of Infection

Like all trojans, this program does not self replicate. Infection occurs when the trojan is intentionally or accidentally run on a system.

Removal

All Users :
Use current engine and DAT files for detection and removal. Open this registry file to restore registry editor access (ConLockFix.reg )

Manual Removal

  • Restart Windows in Safe Mode (reboot your computer, just before the large WINDOWS startup screen comes up, hit the F5 key). You can recognize that you're in Safe Mode by the text Safe Mode in the 4 corners of the desktop.
  • Click START | RUN, type %WINDIR%\SYSTEM and hit ENTER
  • Delete NOT.EXE and CONLOCK.EXE
  • Open this registry file to restore registry editor access (ConLockFix.reg )
  • Click START | RUN, type REGEDIT and hit ENTER
  • Click the (+) next to HKEY_LOCAL_MACHINE
  • Click the (+) next to SOFTWARE
  • Click the (+) next to MICROSOFT
  • Click the (+) next to WINDOWS
  • Click the (+) next to CURRENTVERSION
  • Click RUN
  • Click on CONLOCK on the right and hit DELETE on the keyboard
  • Restart the computer

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • Troj/Conlock (Sophos)
  • Trojan.Win32.Conlock (AVP)

Characteristics

Characteristics -

This trojan prevents keyboard and mouse input, and configures itself to run whenever the system is loaded and/or .TXT files are opened. It poses as a Winamp MP3 file.

When run, the trojan plays a MIDI file and displays a full screen image containing foreign text. Mouse movement and keystrokes are no longer effective as long as the trojan is in memory. The trojan copies itself to the WINDOWS SYSTEM directory as NOT.EXE and CONLOCK.EXE. A registry key is created to load the program at startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run\conlock.exe=CONLOCK.EXE
Another registry key is created to load the program whenever .TXT files are opened.
  • HKEY_CLASSES_ROOT\txtfile\shell\open\command\
    (Default)=NOT.exe %1
An additional registry is created to disable registry editor tools, such as REGEDIT.EXE:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Policies\System\DisableRegistryTools=1

Symptoms

Symptoms -

- Presence of CONLOCK.EXE and NOT.EXE in the WINDOWS SYSTEM directory
- Full screen image containing foreign characters blocks view of desktop

Method of Infection

Method of Infection -

Like all trojans, this program does not self replicate. Infection occurs when the trojan is intentionally or accidentally run on a system.

Removal -

Removal -

All Users :
Use current engine and DAT files for detection and removal. Open this registry file to restore registry editor access (ConLockFix.reg )

Manual Removal

  • Restart Windows in Safe Mode (reboot your computer, just before the large WINDOWS startup screen comes up, hit the F5 key). You can recognize that you're in Safe Mode by the text Safe Mode in the 4 corners of the desktop.
  • Click START | RUN, type %WINDIR%\SYSTEM and hit ENTER
  • Delete NOT.EXE and CONLOCK.EXE
  • Open this registry file to restore registry editor access (ConLockFix.reg )
  • Click START | RUN, type REGEDIT and hit ENTER
  • Click the (+) next to HKEY_LOCAL_MACHINE
  • Click the (+) next to SOFTWARE
  • Click the (+) next to MICROSOFT
  • Click the (+) next to WINDOWS
  • Click the (+) next to CURRENTVERSION
  • Click RUN
  • Click on CONLOCK on the right and hit DELETE on the keyboard
  • Restart the computer

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A