Home / malware Trojan:Win32/Urausy.A
First posted on 25 October 2012.
Source: MicrosoftAliases :
Trojan:Win32/Urausy.A is also known as Backdoor.Win32.Azbreg.lui (Kaspersky).
Explanation :
Trojan:Win32/Urausy.A is ransomware. It prevents you from using your computer by displaying a fullscreen image pretending to be from the local authorities asking you for payment to regain access.
Installation
Trojan:Win32/Urausy.A has been observed to be downloaded and run by malware that exploit the vulnerability described in CVE-2012-1723 (such as Exploit:Java/CVE-2012-1723, usually if you visit a malicious or compromised website. Once it's running in your computer, it drops the following files:
- %AppData%\msconfig.dat - detected as Trojan:Win32/Urausy.A
- %AppData%\msconfig.ini - data file used by Trojan:Win32/Urausy.A
It also changes the following registry entry so that it automatically runs every time Windows starts:
In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "shell"
With data: "explorer.exe,%AppData%\msconfig.dat"
Payload
Locks your computer
Trojan:Win32/Urausy.A locks your computer so that you are unable to access anything in it. To do this, it connects to certain servers to get an image that it displays. The image depends on your location:
If you're located in the US, you may see the following image:
If you're located in France, you may see the following image:
If you're located in Germany, you may see the following image:
If you're located in Spain, you may see the following image:
If you're located in Poland, you may see the following image:
If you're located outside of these locations, you may see the following image:
Trojan:Win32/Urausy.A has been known to connect to the following servers to get the image:
- tcenj.ru
- fsbps.ru
- cremk.ru
Analysis by Shawn Wang
Last update 25 October 2012
