Home / malware

PDF

TrojanDownloader:Win32/Urausy.J

First posted on 12 May 2015.
Source: Microsoft

Aliases :

There are no other names known for TrojanDownloader:Win32/Urausy.J.

Explanation :

Threat behavior

Installation

The threat injects its code into legitimate running processes (for example, explorer.exe) or starts other system processes which it then injects its code into. It might inject code in an effort to hide its presence on your PC.

The code drops the following files in the %APPDATA% folder:

• template.xml - copy of the threat
• template.css - configuration file
• template.log - data file

It modifies the following registry entry so that it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "shell"
With data: "explorer.exe,", for example "explorer.exe,%APPDATA%\template.xml"

The injected process might be detected as Ransom:Win32/Urausy.gen!A.

Payload

Contacts remove servers

The threat connects to a remote server to download other malware. We have seen it connect to the following servers:

• 202.149.71.81
• 37-229-54-123-broadband.kyivstar.net
• demirco.com

Downloads other malware

We have seen this threat download the following malware from the remote server:

• PWS:Win32/Fareit
• TrojanSpy/Win32/Ursnif.gen!P
• VirTool:Win32/DelfInject.gen!BQ
• Trojan:Win32/Kovter.C - this family is known to download and install ransomware

Analysis by Jireh Sanico

SymptomsThe following could indicate that you have this threat on your PC:

• You have these files in the %APPDATA% folder:
• template.xml
• template.css
• template.log
• You may be unable to access your PC, and instead see a message asking you for payment to access your PC

Last update 12 May 2015

 

TOP