MSIL/Filecoder.OwnHead [Threat Name] go to Threat

MSIL/Filecoder.OwnHead.A [Threat Variant Name]

Category trojan
Size 73178 B
Detection created Feb 28, 2017
Signature database version 15011
Short description

MSIL/Filecoder.OwnHead.A is a trojan that encrypts files on local drives. To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.

Installation

When executed, the trojan creates the following files:

  • %desktop%\­UserFilesLocker.exe (53760 B)
  • %desktop%\­__encrypt.pinfo
  • %mydocuments%\­UserFilesLocker.exe (53760 B)
  • %mydocuments%\­__encrypt.pinfo

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "IUDL" = "%desktop%\­UserFilesLocker.exe"

The trojan executes the following files:

  • %mydocuments%\­UserFilesLocker.exe
Payload information

MSIL/Filecoder.OwnHead.A is a trojan that encrypts files on local drives.


The trojan searches for files with the following file extensions:

  • *.*

It avoids files with the following extensions:

  • .avi
  • .mp4
  • .mkv
  • .div
  • .xvid
  • .webm
  • .flv
  • .ogv
  • .ogg
  • .mng
  • .mov
  • .qt
  • .wmw
  • .yuv
  • .rm
  • .rmvb
  • .asf
  • .mpeg
  • .mpg

It avoids files with the following filenames:

  • UserFilesLocker.exe
  • __encrypt.pinfo
  • %malwarefilename%

The trojan encrypts the file content.


The Rijndael, RSA encryption algorithm is used.


The name of the encrypted file is changed to:

  • %filepath%.ENCR

On drive %systemdrive% the trojan encrypts files in the follwing folders only:

  • %mydocuments%
  • %mypictures%
  • %commonpictures%
  • %desktop%
  • %mymusic%
  • %commonmusic%
  • %commondocuments%
  • %downloads%

To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.


Some examples follow.

Other information

Trojan requires the Microsoft .NET Framework to run.

Please enable Javascript to ensure correct displaying of this content and refresh this page.