When run, Ransom:Win32/Urausy.C drops the following files to the %APPDATA% folder:
- this is a copy of the trojan
- this is a data file used by the trojan as an "infection marker" to prevent multiple instances of the malware from running in the infected PC, thus possibly arousing suspicion
It changes the following registry entry so that it runs each time you start your PC:
In subkey: HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "explorer.exe,%APPDATA%\skype.dat"
Prevents you from using your PC
This threat displays a full-screen image that prevents you from accessing your PC. The image it shows depends on your PC's language locale.
Some of the images used by Urausy are in the Ransom:Win32/Urausy family description.
The screen may appear similar to the following, which pretends to be a message from the Federal Bureau of Investigation - United States Department of Justice; the FBI:
In the wild
, we have observed Ransom:Win32/Urausy.C sending information about your PC to, and downloading the lock screen messages from, the following URLs:
We have observed this threat using the legitimate payment and financial transfer service "Green Dot MoneyPak".
This provider is not affiliated with the threat.
If you believe you are a victim of fraud involving this service, you should contact them as well as your local authorities.
The following Microsoft advisory has more advice:
Analysis by Marianne Mallen
You may be unable to access your PC, and instead see an image similar to this one: