Follow:

You have been re-routed to the Ransom:Win32/Urausy.A write up because Trojan%3aWin32%2fUrausy.A has been renamed to Ransom:Win32/Urausy.A
 

Ransom:Win32/Urausy.A


Microsoft security software detects and removes this threat.

This threat locks your PC and displays a full-screen message, commonly called a "lock screen". If this threat asks you to pay a fee or fine, do not pay it. The message is a fraud.

It pretends to be from the FBI or a national police force and tries to scare you into paying a fine to unlock your PC.

Typically, this threat gets on your PC when you visit a hacked webpage.

You can read more about this type on malware at the Ransom:Win32/Urausy family description or on our ransomware page.



What to do now

Do not pay the fee or fine that this threat asks for. The message is a fraud.

If you've already paid, see our ransomware page for help on what to do now.

Run antivirus or antimalware software

The following Microsoft software detects and removes this threat:

However, because this threat can lock your screen, you might not be able to download or run antivirus or antimalware software. If that happens, you will need to use Windows Defender Offline:

The following articles may help if you're having trouble getting the tool to work:

After you've used Windows Defender Offline, you should make sure your security software is up to date and run a full scan:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Threat behavior

Installation

This threat can be downloaded and run by malware that exploit the vulnerability described in CVE-2012-1723 (such as Exploit:Java/CVE-2012-1723), usually if you visit a malicious or compromised website. Once it's running on your PC, it drops the following files:

  • %APPDATA% \msconfig.dat - detected as Ransom:Win32/Urausy.A
  • %APPDATA% \msconfig.ini - data file used by Ransom:Win32/Urausy.A

It modifies the following registry entry so that it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "shell"
With data: "explorer.exe,%AppData%\msconfig.dat"

Payload

Prevents you from using your PC

This threat displays a full-screen image that prevents you from accessing your PC. The image it shows depends on your PC's language locale.

Some of the images used by Urausy are in the Ransom:Win32/Urausy family description.

If you're located in the US, you may see the following image:

If you're in Australia, you may see the following image pretending to be from the Australian Federal Police (AFP):

 

If you're in Denmark, you may see the following image pretending to be from the Politi Kongeriget Danmark; the police of Denmark:

 

If you're in Greece, you may see the following image pretending to be from the Elliniki Astynomia; the Greek police:

 

If you're in Romania, you may see the following image pretending to be from the Politi Romana; the Romanian police:

 

If you're located in France, you may see the following image:

If you're located in Germany, you may see the following image:

If you're located in Spain, you may see the following image:

If you're located in Poland, you may see the following image:

If you're in Italy, you may see the following image pretending to be from the Polizia Di Stato; the Italian state police:

 

If you're located outside of these locations, you may see the following image:

This threat may connect to the following servers to get the image:

  • tcenj.ru
  • fsbps.ru
  • cremk.ru

Additional information

We have observed the threat using a variety of legitimate payment and financial transfer services, including the following:

These providers are not affiliated with this threat.

If you believe you are a victim of fraud involving one of these services, you should contact them along with your local authorities.

Please also see the following Microsoft advisory for additional advice:

Analysis by Shawn Wang


Symptoms

You may be unable to access your PC, and instead see any of the following images:


Prevention


Alert level: Severe
First detected by definition: 1.131.1058.0
Latest detected by definition: 1.185.1008.0 and higher
First detected on: Jul 31, 2012
This entry was first published on: Jul 31, 2012
This entry was updated on: Jun 05, 2014

This threat is also detected as:
  • Backdoor.Win32.Azbreg.lui (Kaspersky)