MSIL/Filecoder.OwnHead [Threat Name] go to Threat
MSIL/Filecoder.OwnHead.A [Threat Variant Name]
| Category | trojan |
| Size | 73178 B |
Short description
MSIL/Filecoder.OwnHead.A is a trojan that encrypts files on local drives. To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.
Installation
When executed, the trojan creates the following files:
- %desktop%\UserFilesLocker.exe (53760 B)
- %desktop%\__encrypt.pinfo
- %mydocuments%\UserFilesLocker.exe (53760 B)
- %mydocuments%\__encrypt.pinfo
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "IUDL" = "%desktop%\UserFilesLocker.exe"
The trojan executes the following files:
- %mydocuments%\UserFilesLocker.exe
Payload information
MSIL/Filecoder.OwnHead.A is a trojan that encrypts files on local drives.
The trojan searches for files with the following file extensions:
- *.*
It avoids files with the following extensions:
- .avi
- .mp4
- .mkv
- .div
- .xvid
- .webm
- .flv
- .ogv
- .ogg
- .mng
- .mov
- .qt
- .wmw
- .yuv
- .rm
- .rmvb
- .asf
- .mpeg
- .mpg
It avoids files with the following filenames:
- UserFilesLocker.exe
- __encrypt.pinfo
- %malwarefilename%
The trojan encrypts the file content.
The Rijndael, RSA encryption algorithm is used.
The name of the encrypted file is changed to:
- %filepath%.ENCR
On drive %systemdrive% the trojan encrypts files in the follwing folders only:
- %mydocuments%
- %mypictures%
- %commonpictures%
- %desktop%
- %mymusic%
- %commonmusic%
- %commondocuments%
- %downloads%
To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.
Some examples follow.
Other information
Trojan requires the Microsoft .NET Framework to run.