Home / malware Trojan:HTML/Ransom.E
First posted on 18 December 2012.
Source: MicrosoftAliases :
There are no other names known for Trojan:HTML/Ransom.E.
Explanation :
Installation
Trojan:HTML/Ransom.E is installed by Trojan:Win32/Urausy.A. The trojan connects to a remote host in order to download the HTML page that it displays on your desktop. This page is detected as Trojan:HTML/Ransom.E.
In the wild, we've observed variants of Trojan:Win32/Urausy.A connecting to the following hosts to download this page:
- hxxp ://<removed>tvy.ru
- hxxp ://<removed>tyg.ru
- hxxp ://<removed>zd.ru
Payload
Prevents you from accessing your desktop
Trojan:Win32/Urausy.A displays this page so that it covers all other windows, rendering your computer unusable. The page contains a fake warning pretending to be from a legitimate institution which demands the payment of a fine, as in the following example:
Paying the "fine" will not necessarily return your computer to a usable state, so this is not advisable.
The following message box may appear if you input a "PIN" that passes the page's validation:
An example of Trojan:HTML/Ransom.E is reproduced below.
For more examples of these pages, please see the Trojan:Win32/Urausy.A entry.
Additional information
Payment methods
We have observed Trojan:Win32/Urausy.A using a variety of legitimate payment and financial transfer services, including the following:
- Green Dot MoneyPak
- Paysafecard
- Ukash
- Ultimate Game Card
Note: These providers are not affiliated with Trojan:Win32/Urausy.A.
If you believe you are a victim of fraud involving one of these services, you should contact them along with your local authorities.
Please also see the following Microsoft advisory for additional advice:
Related encyclopedia entries
- What to do if you are a victim of fraud
Trojan:Win32/Urausy.A
Analysis by Jim Wang
Last update 18 December 2012
