Follow:

 

Ransom:Win32/Urausy.C


Microsoft security software detects and removes this threat.

This threat locks your PC and displays a full-screen message, commonly called a "lock screen". If this threat asks you to pay a fee or fine, do not pay it. The message is a fraud.

It pretends to be from the FBI or a national police force and tries to scare you into paying a fine to unlock your PC.

Typically, this threat gets on your PC when you visit a hacked webpage.

You can read more about this type on malware at the Ransom:Win32/Urausy family description or on our ransomware page.

Find out ways that malware can get on your PC.



What to do now

Microsoft doesn’t recommend you pay the fine. There is no guarantee that paying the ransom will give you access to your files.

If you've already paid, see our ransomware page for help on what to do now.

Run antivirus or antimalware software

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Advanced troubleshooting

To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

When run, Ransom:Win32/Urausy.C drops the following files to the %APPDATA% folder:

  • skype.dat - this is a copy of the trojan
  • skype.ini - this is a data file used by the trojan as an "infection marker" to prevent multiple instances of the malware from running in the infected PC, thus possibly arousing suspicion

It changes the following registry entry so that it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "explorer.exe,%APPDATA%\skype.dat"

Payload

Prevents you from using your PC

This threat displays a full-screen image that prevents you from accessing your PC. The image it shows depends on your PC's language locale.

Some of the images used by Urausy are in the Ransom:Win32/Urausy family description.

The screen may appear similar to the following, which pretends to be a message from the Federal Bureau of Investigation - United States Department of Justice; the FBI:

In the wild , we have observed Ransom:Win32/Urausy.C sending information about your PC to, and downloading the lock screen messages from, the following URLs:

  • ckza.ru
  • efdp.su
Additional information

We have observed this threat using the legitimate payment and financial transfer service "Green Dot MoneyPak".

This provider is not affiliated with the threat.

If you believe you are a victim of fraud involving this service, you should contact them as well as your local authorities.

The following Microsoft advisory has more advice:

Analysis by Marianne Mallen


Symptoms

You may be unable to access your PC, and instead see an image similar to this one:
 


Prevention


Alert level: Severe
First detected by definition: 1.141.703.0
Latest detected by definition: 1.183.1122.0 and higher
First detected on: Nov 29, 2012
This entry was first published on: Nov 29, 2012
This entry was updated on: Aug 25, 2014

This threat is also detected as:
  • Win32/Injector.ZPB (ESET)
  • BackDoor.Andromeda.22 (Dr.Web)
  • Mal/EncPk-AFN (Sophos)
  • PWS-Zbot.gen.anm (McAfee)
  • TROJ_LOCKSCRN.SM (Trend Micro)
  • Crypt.BBQL (AVG)
  • Trojan.Win32.Buzus (Ikarus)
  • Trojan.Win32.Buzus.mssp (Kaspersky)
  • Trojan.Win32.Inject.ewxm (Kaspersky)
  • Trojan/Win32.Zbot (AhnLab)
  • W32/Injector.HB (Command)
  • W32/Urausy.B (Norman)