MSIL/Steamlocker [Threat Name] go to Threat

MSIL/Steamlocker.C [Threat Variant Name]

Category trojan
Size 936448 B
Detection created Apr 01, 2016
Detection database version 13271
Aliases Trojan-PSW.Win32.Ruftar.bfiy (Kaspersky)
  TrojanSpy:Win32/Skeeyah.A!rfn (Microsoft)
Short description

MSIL/Steamlocker.C is a trojan that can interfere with the operation of certain applications.


When executed, the trojan creates the following files:

  • %localappdata%\­Microsoft\­Services\­services.exe (926720 B, MSIL/Steamlocker.C)
  • %steaminstallfolder%\­bin\­Steam.exe (916480 B, MSIL/Steamlocker.C)

The trojan creates the following file:

  • %startup%\­Приложение служб и контроллеров.lnk

The file is a shortcut to a malicious file.

This causes the trojan to be executed on every system start.

Instead of %steaminstallfolder% , the value(s) are taken from the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Valve\­Steam\­InstallPath]
Payload information

The trojan blocks execution of some programs.

The programs affected include the following:

  • Steam

The following programs are terminated:

  • Steam.exe

The trojan displays the following fake dialog boxes:

To regain access to the Steam service the user is requested to comply with given conditions in exchange for a password/instructions.

However, this will not result in the removal of the malware from the system.

The trojan attempts to delete the following file:

  • %steaminstallfolder%\­config\­config.vdf

Instead of %steaminstallfolder% , the value(s) are taken from the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Valve\­Steam\­InstallPath]
Other information

The trojan keeps various information in the following files:

  • %localappdata%\­Microsoft\­\­HelpLibraries\­logs.jpg
  • %localappdata%\­Microsoft\­Diagnostic Tools\­%variable%

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.