TWLWLocker

TWLWLocker is a screen-locking Trojan that can block your desktop with pop-ups imitating various Windows errors. Its threat actors may use these attacks for asking the user to pay money or provide confidential information either to a fake technical support team or themselves directly. Due to this threat harming UI accessibility, most users should block and remove TWLWLocker automatically with appropriate anti-malware software.

The Team that's not on Your Side

The days of Russian residency providing a limited degree of breathing room from targeting by Trojan campaigns are, now, long expired. However, the real-world geographical space does offer numerous samples of how threat actors are experimenting with different ways of profiting through attacks ranging from encryption to modifying the Web-browsing resources of their victims. TWLWLocker, as an example, includes both transparent attacks against the user interface but also uses more obtuse features to limit website access.

Although it's designed for Windows systems and appears to be feature-complete, TWLWLocker's distribution practices are still in analysis. The Trojan's payload includes primarily English-based components, such as an image file announcing the identity of its authors (the 'TeamWinLockerWindows' threat actors). However, TWLWLocker blocks a variety of websites that are often prominent among Russian Web surfers, including the social networking domain of VK.com, the Yandex search engine, and various .RU sites, including Google. Since TWLWLocker edits the Hosts settings directly to do so, these sites will fail to load in any Web browser.

TWLWLocker's other, identifying feature is its screen-locking function, which malware experts identify as being formatted to look like default Windows alerts. TWLWLocker generates manual imitations of kernel exception errors while blocking the screen with maximized, borderless windows, and also mimics a Metro loading bar. Con artists often conduct screen-locking attacks of this nature to force their victims into paying for fake security or technical support assistance from the provided phone numbers.

Locking a Screen-Locker Outside

Why TWLWLocker's payload includes a feature for redirecting Web-browsing traffic when its primary function blocks the user accessibility to other programs entirely is a question that only its author can answer. However, this threat's payload shows the dual nature of an infection, wherein the immediate experiences of a victim aren't always reflective of the only attacks taking place. Even if the user regains access to his PC by closing or otherwise circumventing TWLWLocker's screen-locking feature, his ability to load other websites will remain filtered through the Trojan's Hosts-hijacking attack.

When facing a threat like TWLWLocker that tries to block your desktop or other applications, most users can regain control over the Windows UI by restarting and selecting a Safe Mode-based environment, which should load without launching the Trojan. Different versions of Windows access Safe Mode in various ways, although a majority provides access to the advanced startup menu by tapping the F8 key before the OS loading screen appears. Professional anti-malware applications can block or uninstall TWLWLocker as a threat to your computer, but the Windows Hosts file also may need restoration to its default values.

It's not difficult to imagine how the con artists could use TWLWLocker to make money, either by changing which sites the victims visit or by holding their computers hostage. However, there always are alternatives to a TWLWLocker style hostage situation that are open to all users willing to look for them.