Home / malware Trojan:Win32/Urausy.E
First posted on 12 September 2013.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Urausy.E.
Explanation :
Threat behavior
Installation
The trojan copies itself as cache.dat to the %APPDATA% folder.
It also modifies the following registry entry so that it runs each time you start your PC:
In subkey: HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "explorer.exe,%APPDATA%\cache.dat"
Payload
Prevents you from accessing your desktop
The trojan locks your computer by showing you a full-screen image or webpage which covers your desktop so you can't see anything else on your PC (this image or webpage is also known as a "lock screen").
The message attempts to scare you into paying a fine to unlock your computer, usually by saying you have accessed illegal material.
The claims are false, and paying the fine will not guarantee that you'll be able to use your PC again.
It downloads the image or webpage from a remote server.
The screen may appear similar to the following, which is pretending to be a message from the Federal Bureau of Investigation (the FBI), Department of Defense, and USA Cyber Crime Center:
Connects to remote servers
In the wild, we have observed Trojan:Win32/Urausy.E sending information about your computer to, and downloading the lock screen messages from, the URL fxvzi.ru.
Additional information
We have observed Trojan:Win32/Urausy.E using the legitimate payment and financial transfer service "Green Dot MoneyPak".
This provider is not affiliated with the people who have infected your PC with this trojan.
If you believe you are a victim of fraud involving Green Dot MoneyPak you should contact them as well as your local police or authorities.
The following Microsoft article has more advice:
- What to do if you are a victim of fraud
Analysis by Zhitao Zhou
Symptoms
You can't access your computer, and instead see an image similar to the following:
Last update 12 September 2013
