MSIL/Filecoder.OwnHead [Threat Name] go to Threat
MSIL/Filecoder.OwnHead.A [Threat Variant Name]
|Detection created||Feb 28, 2017|
|Signature database version||15011|
MSIL/Filecoder.OwnHead.A is a trojan that encrypts files on local drives. To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.
When executed, the trojan creates the following files:
- %desktop%\UserFilesLocker.exe (53760 B)
- %mydocuments%\UserFilesLocker.exe (53760 B)
In order to be executed on every system start, the trojan sets the following Registry entry:
- "IUDL" = "%desktop%\UserFilesLocker.exe"
The trojan executes the following files:
MSIL/Filecoder.OwnHead.A is a trojan that encrypts files on local drives.
The trojan searches for files with the following file extensions:
It avoids files with the following extensions:
It avoids files with the following filenames:
The trojan encrypts the file content.
The Rijndael, RSA encryption algorithm is used.
The name of the encrypted file is changed to:
On drive %systemdrive% the trojan encrypts files in the follwing folders only:
To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.
Some examples follow.
Trojan requires the Microsoft .NET Framework to run.