MSIL/Steamlocker [Threat Name] go to Threat
MSIL/Steamlocker.C [Threat Variant Name]
| Category | trojan |
| Size | 936448 B |
| Aliases | Trojan-PSW.Win32.Ruftar.bfiy (Kaspersky) |
| TrojanSpy:Win32/Skeeyah.A!rfn (Microsoft) |
Short description
MSIL/Steamlocker.C is a trojan that can interfere with the operation of certain applications.
Installation
When executed, the trojan creates the following files:
- %localappdata%\Microsoft\Services\services.exe (926720 B, MSIL/Steamlocker.C)
- %steaminstallfolder%\bin\Steam.exe (916480 B, MSIL/Steamlocker.C)
The trojan creates the following file:
- %startup%\Приложение служб и контроллеров.lnk
The file is a shortcut to a malicious file.
This causes the trojan to be executed on every system start.
Instead of %steaminstallfolder% , the value(s) are taken from the following Registry entry:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Valve\Steam\InstallPath]
Payload information
The trojan blocks execution of some programs.
The programs affected include the following:
- Steam
The following programs are terminated:
- Steam.exe
The trojan displays the following fake dialog boxes:
To regain access to the Steam service the user is requested to comply with given conditions in exchange for a password/instructions.
However, this will not result in the removal of the malware from the system.
The trojan attempts to delete the following file:
- %steaminstallfolder%\config\config.vdf
Instead of %steaminstallfolder% , the value(s) are taken from the following Registry entry:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Valve\Steam\InstallPath]
Other information
The trojan keeps various information in the following files:
- %localappdata%\Microsoft\\HelpLibraries\logs.jpg
- %localappdata%\Microsoft\Diagnostic Tools\%variable%
A string with variable content is used instead of %variable% .