Trojan:Win32/Urausy.A is ransomware. It prevents you from using your computer by displaying a fullscreen image pretending to be from the local authorities asking you for payment to regain access.

You may be unable to access your computer, and instead see any of the following images:

Trojan:Win32/Urausy.A is ransomware. It prevents you from using your computer by displaying a fullscreen image pretending to be from the local authorities asking you for payment to regain access.

Installation

Trojan:Win32/Urausy.A has been observed to be downloaded and run by malware that exploit the vulnerability described in CVE-2012-1723 (such as Exploit:Java/CVE-2012-1723, usually if you visit a malicious or compromised website. Once it's running in your computer, it drops the following files:

• %AppData%\msconfig.dat - detected as Trojan:Win32/Urausy.A
• %AppData%\msconfig.ini - data file used by Trojan:Win32/Urausy.A

It also changes the following registry entry so that it automatically runs every time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "shell"
With data: "explorer.exe,%AppData%\msconfig.dat"

Payload

Locks your computer

Trojan:Win32/Urausy.A locks your computer so that you are unable to access anything in it. To do this, it connects to certain servers to get an image that it displays. The image depends on your location:

If you're located in the US, you may see the following image:

If you're in Australia, you may see the following image pretending to be from the Australian Federal Police (AFP):

If you're in Denmark, you may see the following image pretending to be from the Politi Kongeriget Danmark; the police of Denmark:

If you're in Greece, you may see the following image pretending to be from the Elliniki Astynomia; the Greek police:

If you're in Romania, you may see the following image pretending to be from the Politi Romana; the Romanian police:

If you're located in France, you may see the following image:

If you're located in Germany, you may see the following image:

If you're located in Spain, you may see the following image:

If you're located in Poland, you may see the following image:

If you're in Italy, you may see the following image pretending to be from the Polizia Di Stato; the Italian state police:

If you're located outside of these locations, you may see the following image:

Trojan:Win32/Urausy.A has been known to connect to the following servers to get the image:

• tcenj.ru
• fsbps.ru
• cremk.ru

Additional information

We have observed Trojan:Win32/Urausy.A using a variety of legitimate payment and financial transfer services, including the following:

• Green Dot MoneyPak
• Paysafecard
• Ukash
• Ultimate Game Card

Note: These providers are not affiliated with Trojan:Win32/Urausy.A.

If you believe you are a victim of fraud involving one of these services, you should contact them along with your local authorities.

Please also see the following Microsoft advisory for additional advice:

• What to do if you are a victim of fraud

Analysis by Shawn Wang

Using Windows Defender Offline

The way Windows Defender Offline works, is by allowing you to:

• Download a copy of the tool from a computer that has access to the Internet
• Save a copy of the recovery tool to a removable drive, in order to create bootable media
• Run the recovery tool on a compromised computer

You might want to use Windows Defender Offline when:

• You need to scan your computer to check for rootkits and other malware
• You are infected with malware that prevents you from downloading and installing an antivirus or the latest updates for your antivirus software
• Your antivirus does not detect or remove advanced malware, such as a rootkit

Note: Windows Defender Offline is not a replacement for a full antivirus solution providing ongoing protection; it is meant to be used in situations where you cannot start or otherwise effectively scan your infected computer due to a virus or other malware actively running on the computer and impeding the effective action of antimalware software. For no-cost, real-time protection that helps guard your home or small business computers against viruses, spyware, and other malicious software, download Microsoft Security Essentials.

1. Determine if you require the 32-bit or 64-bit download.
   
   See the Microsoft Help and Support article for instructions on how to determine whether a computer is running a 32-bit version or 64-bit architecture of the Windows operating system.
2. Using a computer that can connect to the internet, download the version of the Windows Defender Offline that applies to the affected computer.
   
   If the affected computer is a:
   
   - 32-bit computer, then download the 32-bit version here.
   - 64-bit computer, then download the 64-bit version here.
   
   Note: In order for the recovery tool to be effective, make sure you download the version that matches the architecture of the affected computer. For example, if your 64-bit desktop is affected, you will need to download the 64-bit version of the Windows Defender Offline and save it to a removable drive.
3. Save the downloaded file to a local drive on your computer.
4. Launch the downloaded file, and create a bootable device by following the instructions on the wizard.
   
   Note: We recommend creating a bootable USB or CD; if you create a bootable USB, this can be updated for future use.
5. From the affected computer, boot from the USB or CD you created in step 4.
   
   Note: You may need to set the boot order in the BIOS to do this. This will be device specific, so if you are unsure, refer to your system manual or manufacturer.
6. Follow the prompts to run a full system scan.
   
   Depending on the outcome of the scan, your next steps will vary. Follow the prompts from Windows Defender Offline to manage any threat detections.

Steps you can take once your computer has been cleaned

• Install security software, such as Microsoft Security Essentials, or any number of other products that provide a complete, real-time antivirus solution.
• Keep your antivirus up to date by making sure you have the latest definitions.
• Use the Microsoft Safety Scanner if you suspect you are infected but are unable to confirm this with your existing antivirus solution.