Home / malwarePDF  

Trojan:Win32/Urausy.C


First posted on 11 February 2013.
Source: Microsoft

Aliases :

Trojan:Win32/Urausy.C is also known as Win32/Injector.ZPB (ESET), BackDoor.Andromeda.22 (Dr.Web), Mal/EncPk-AFN (Sophos), PWS-Zbot.gen.anm (McAfee), TROJ_LOCKSCRN.SM (Trend Micro), Crypt.BBQL (AVG), Trojan.Win32.Buzus (Ikarus), Trojan.Win32.Buzus.mssp (Kaspersky), Trojan.Win32.Inject.ewxm (Kaspersky), Trojan/Win32.Zbot (AhnLab), W32/Injector.HB (Command), W32/Urausy.B (Norman).

Explanation :



Trojan:Win32/Urausy.C may be installed on your computer by other malware, or it may arrive on your computer via a drive-by download from a compromised website.



Installation

When run, Trojan:Win32/Urausy.C drops the following files to the %AppData% folder:

  • skype.dat - this is a copy of the trojan
  • skype.ini - this is a data file used by the trojan as an "infection marker" to prevent multiple instances of the malware from running in the infected computer, thus possibly arousing suspicion


Note: %APPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Application Data". For Windows Vista, 7, and 8, the default location is "C:\Users\<user>\AppData\Roaming".

Trojan:Win32/Urausy.C modifies the following registry entry to ensure its copy runs at each Windows start:

In subkey: HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "explorer.exe,%AppData%\skype.dat"



Payload

Prevents you from accessing your desktop

When run,Trojan:Win32/Urausy.C displays a full-screen message that covers all other windows, rendering your computer unusable (this full-screen message is also known as a "lock screen"). The message is a fake warning pretending to be from a legitimate institution.

The message demands the payment of a fine for the supposed possession of illicit material.

Paying the "fine" will not necessarily return your computer to a usable state, so this is not advisable.

The screen may appear similar to the following, which is pretending to be a message from the Federal Bureau of Investigation - United States Department of Justice; the FBI:



Connects to remote servers

In the wild, we have observed Trojan:Win32/Urausy.C sending information about your computer to, and downloading the lock screen messages from, the following URLs:

  • ckza.ru
  • efdp.su
Additional information

We have observed Trojan:Win32/Urausy.C using the legitimate payment and financial transfer service "Green Dot MoneyPak".

Note: This provider is not affiliated with Trojan:Win32/Urausy.C.

If you believe you are a victim of fraud involving this service, you should contact them along with your local authorities.

Please also see the following Microsoft advisory for additional advice:

  • What to do if you are a victim of fraud




Analysis by Marianne Mallen

Last update 11 February 2013

 

TOP