The trojan copies itself as cache.datto the %APPDATA% folder.
It also changes the following registry entry so that it runs each time you start your PC:
In subkey: HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "explorer.exe,%APPDATA%\cache.dat"
Prevents you from using your PC
This threat displays a full-screen image that prevents you from accessing your PC. The image it shows depends on your PC's language locale.
Some of the images used by Urausy are in the Ransom:Win32/Urausy family description.
It downloads the image or webpage from a remote server.
The screen might appear similar to the following, which pretends to be a message from the Federal Bureau of Investigation (the FBI), Department of Defense, and USA Cyber Crime Center:
In the wild, we have observed this threat sending information about your PC to, and downloading the lock screen messages from, the URL fxvzi.ru.
We have observed the threat using the legitimate payment and financial transfer service "Green Dot MoneyPak".
This provider is not affiliated with the people who have infected your PC with this trojan.
If you believe you are a victim of fraud involving Green Dot MoneyPak you should contact them as well as your local police or authorities.
The following Microsoft article has more advice:
Analysis by Zhitao Zhou
You can't access your PC, and instead see an image similar to the following: