Home / malwarePDF  

Trojan:Win32/Urausy


First posted on 10 October 2013.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Urausy.

Explanation :

Threat behavior

Installation


This threat is distributed by various exploit kits, and is often disguised as an Adobe Flash installer or video file to trick you into downloading and running it.

In the wild, we have seen it use the following file names:

  • adobeflashplayerv10.2.152.32.exe
  • Incest_Porn_Movie_74.mpeg.exe
  • movie1080p.mkv.exe
  • video.hd.exe


The file may have a video file icon, such as:



Win32/Urausy checks if it has been loaded by a debugger (such as OllyDbg) by calling a native API such as ZwQueryInformationProcess with ProcessDebugPort as a parameter.

It the threat is being debugged, it will close or exit immediately.

The trojan also checks if your PC is running in safe mode, if it is then the trojan immediately reboots your PC.

Win32/Urausy drops a copy of itself into %APPDATA% with the file name cache.dat and sets the file's time to be the same as the file %SystemRoot%\system32\ntdll.dll.

Some older variants, such as Trojan:Win32/Urausy.A, also use the following names:

  • msconfig.dat
  • skype.dat


It modifies the following registry entry so that it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "shell"
With data: "explorer.exe,<threat's file and folder>", for example "explorer.exe,%APPDATA%\cache.dat"

The trojan also creates the file cache.ini in the %APPDATA% folder. This file may contain a 4-byte time counter in milliseconds. The initial counter value may be 0x1DC13000, which represents approximately 138 hours and 40 minutes.

The counter decreases by 4000 every 4 seconds when Win32/Urausy is running. When the counter has decreased completely, the trojan deletes itself. It's likely that the malware author has determined that if you haven't paid within that time, you aren't going to pay at all, so there's no point in continuing to infect your PC.

Older variants, such as Trojan:Win32/Urausy.A, also use the following names for this file:

  • msconfig.ini
  • skype.ini
Win32/Urausy injects itself into explorer.exe and svchost.exe to hide its presence.

Win32/Urausy also tries to kill the process taskmgr.exe every 10 milliseconds.

Payload

Prevents you from using your PC

Win32/Urausy creates a new desktop named "Temprary" and switches to it, which prevents you from having access to the default desktop.

It displays a full-screen webpage that covers all other windows, rendering your PC unusable. The image is a fake warning pretending to be from a legitimate law-enforcement agency which demands the payment of a fine. The text changes depending on the location of your PC, as determined from your IP.

Paying the "fine" will not necessarily return your PC to a usable state.

If your PC has a webcam, Win32/Urausy takes a capture from it and saves the photo to %TEMP%\cam.bmp, which may be shown in the fake law-enforcement warning.

The following are examples of some of these warnings:

A warning pretending to be from the Agence nationale de la sécurité des systèmes d'information (ANSSI; the French Network and Information Security Agency)



A warning pretending to be from the Služba Kriminální Policie a Vyšetrování (the Police of the Czech Republic):



A warning pretending to be from the United States FBI Department of Defense Cyber Crime Center:



A warning pretending to be from the BundesKriminalamt (the German Federal Criminal Police Office):



A warning pretending to be from the Nemzeti Nyomozó Iroda (the Hungarian National Bureau of Investigation):



Older variants may look like this:

A warning pretending to be from the Politia Româna (the Romanian Police):



A warning pretending to be from the Polska Policja (the Polish Police):



A warning pretending to be from the Australian Federal Police (AFP):



Contacts remove server

Win32/Urausy connects to a command and control (C&C) server to report its infection. It also sends encoded information such as the operating system's version, the unique ID of the current user, and the details of any running security-related software.

The request is sent with a customized user agent string that may contain the following information:

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

When encoded, the string/request might look like this:

http://nfymz.biz/bg-<removed>-fxlz-ldlnbbgplc-urxm-uync-ornnqoccmjlrwz-wbigbq-emgp-sjtoepvkolqouduvnclocv_jjuiprlzudoxma-lhax_jkls-kxff-dpld_espj-ng.html

The following are some example C&C servers:

  • http://egipe.com
  • http://nfymz.biz
  • http://vrhgs.su


The response from the C&C server is an encrypted package that contains the localized text and images that are used in the lock screen message.

Besides the warning content, the C&C can also instruct Win32/Urausy to delete itself. For example, it will delete itself if your PC is located in the following countries:

  • China
  • Russia
  • Ukraine


Additional information


Win32/Urausy uses the following legitimate payment services:

  • Green Dot MoneyPak
  • MoneyGram
  • Paysafecard
  • Ukash


These providers are not affiliated with this threat.

If you believe you are a victim of fraud involving one of these services, you should contact them, along with your local authorities.



Analysis by Shawn Wang

SymptomsThe following could indicate that you have this threat on your PC:
  • You have these files:
    • adobeflashplayerv10.2.152.32.exe
    • Incest_Porn_Movie_74.mpeg.exe
    • movie1080p.mkv.exe
    • video.hd.exe
  • You may be unable to access your PC, and instead see a message similar to the following:

Last update 10 October 2013

 

TOP

Malware :