Home / malware Trojan:Win32/Urausy.C
First posted on 11 February 2013.
Source: MicrosoftAliases :
Trojan:Win32/Urausy.C is also known as Win32/Injector.ZPB (ESET), BackDoor.Andromeda.22 (Dr.Web), Mal/EncPk-AFN (Sophos), PWS-Zbot.gen.anm (McAfee), TROJ_LOCKSCRN.SM (Trend Micro), Crypt.BBQL (AVG), Trojan.Win32.Buzus (Ikarus), Trojan.Win32.Buzus.mssp (Kaspersky), Trojan.Win32.Inject.ewxm (Kaspersky), Trojan/Win32.Zbot (AhnLab), W32/Injector.HB (Command), W32/Urausy.B (Norman).
Explanation :
Trojan:Win32/Urausy.C may be installed on your computer by other malware, or it may arrive on your computer via a drive-by download from a compromised website.
Installation
When run, Trojan:Win32/Urausy.C drops the following files to the %AppData% folder:
- skype.dat - this is a copy of the trojan
- skype.ini - this is a data file used by the trojan as an "infection marker" to prevent multiple instances of the malware from running in the infected computer, thus possibly arousing suspicion
Note: %APPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Application Data". For Windows Vista, 7, and 8, the default location is "C:\Users\<user>\AppData\Roaming".
Trojan:Win32/Urausy.C modifies the following registry entry to ensure its copy runs at each Windows start:
In subkey: HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "explorer.exe,%AppData%\skype.dat"
Payload
Prevents you from accessing your desktop
When run,Trojan:Win32/Urausy.C displays a full-screen message that covers all other windows, rendering your computer unusable (this full-screen message is also known as a "lock screen"). The message is a fake warning pretending to be from a legitimate institution.
The message demands the payment of a fine for the supposed possession of illicit material.
Paying the "fine" will not necessarily return your computer to a usable state, so this is not advisable.
The screen may appear similar to the following, which is pretending to be a message from the Federal Bureau of Investigation - United States Department of Justice; the FBI:
Connects to remote servers
In the wild, we have observed Trojan:Win32/Urausy.C sending information about your computer to, and downloading the lock screen messages from, the following URLs:
Additional information
- ckza.ru
- efdp.su
We have observed Trojan:Win32/Urausy.C using the legitimate payment and financial transfer service "Green Dot MoneyPak".
Note: This provider is not affiliated with Trojan:Win32/Urausy.C.
If you believe you are a victim of fraud involving this service, you should contact them along with your local authorities.
Please also see the following Microsoft advisory for additional advice:
- What to do if you are a victim of fraud
Analysis by Marianne Mallen
Last update 11 February 2013
