Follow:

 

Ransom:Win32/Urausy.E


Microsoft security software detects and removes this threat.

This threat locks your PC and displays a full-screen message, commonly called a "lock screen".

It pretends to be from the FBI or a national police force and tries to scare you into paying a fine to unlock your PC.

See the Technical information tab for examples of the lock screen.

Typically, this threat gets on your PC when you visit a hacked webpage.

You can read more about this type on malware at the Ransom:Win32/Urausy family description or on our ransomware page.

Find out ways that malware can get on your PC.



What to do now

Microsoft doesn’t recommend youpay the fine. There is no guarantee that paying the ransom will give you access to your files.

If you've already paid, see our ransomware page for help on what to do now.

Run antivirus or antimalware software

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Advanced troubleshooting

To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

The trojan copies itself as cache.datto the %APPDATA% folder.

It also changes the following registry entry so that it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "explorer.exe,%APPDATA%\cache.dat"

Payload

Prevents you from using your PC

This threat displays a full-screen image that prevents you from accessing your PC. The image it shows depends on your PC's language locale.

Some of the images used by Urausy are in the Ransom:Win32/Urausy family description.

It downloads the image or webpage from a remote server.

The screen might appear similar to the following, which pretends to be a message from the Federal Bureau of Investigation (the FBI), Department of Defense, and USA Cyber Crime Center:

In the wild, we have observed this threat sending information about your PC to, and downloading the lock screen messages from, the URL fxvzi.ru.

Additional information

We have observed the threat using the legitimate payment and financial transfer service "Green Dot MoneyPak".

This provider is not affiliated with the people who have infected your PC with this trojan.

If you believe you are a victim of fraud involving Green Dot MoneyPak you should contact them as well as your local police or authorities.

The following Microsoft article has more advice:

Analysis by Zhitao Zhou


Symptoms

You can't access your PC, and instead see an image similar to the following:


Prevention


Alert level: Severe
First detected by definition: 1.147.1197.0
Latest detected by definition: 1.187.2269.0 and higher
First detected on: Apr 06, 2013
This entry was first published on: Apr 06, 2013
This entry was updated on: Aug 25, 2014

This threat is also detected as:
No known aliases