Ransom:Win32/Urausy

This threat is distributed by various exploit kits, and is often disguised as an Adobe Flash installer or video file to trick you into downloading and running it.

In the wild, we have seen it use the following file names:

• adobeflashplayerv10.2.152.32.exe
• Incest_Porn_Movie_74.mpeg.exe
• movie1080p.mkv.exe
• video.hd.exe

The file may have a video file icon, such as:

Win32/Urausy checks if it has been loaded by a debugger (such as OllyDbg) by calling a native API such as ZwQueryInformationProcess with ProcessDebugPort as a parameter.

It the threat is being debugged, it will close or exit immediately.

The trojan also checks if your PC is running in safe mode, if it is then the trojan immediately reboots your PC.

Win32/Urausy drops a copy of itself into %APPDATA% with the file name cache.dat and sets the file's time to be the same as the file %SystemRoot%\system32\ntdll.dll.

Some older variants, such as Ransom:Win32/Urausy.A, also use the following names:

• msconfig.dat
• skype.dat

It modifies the following registry entry so that it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "shell"
With data: "explorer.exe,<threat's file and folder>", for example "explorer.exe,%APPDATA%\cache.dat"

The trojan also creates the file cache.ini in the %APPDATA% folder. This file may contain a 4-byte time counter in milliseconds. The initial counter value may be 0x1DC13000, which represents approximately 138 hours and 40 minutes.

The counter decreases by 4000 every 4 seconds when Win32/Urausy is running. When the counter has decreased completely, the trojan deletes itself. It's likely that the malware author has determined that if you haven't paid within that time, you aren't going to pay at all, so there's no point in continuing to infect your PC. 

Older variants, such as Ransom:Win32/Urausy.A, also use the following names for this file:

• msconfig.ini
• skype.ini

This threat also tries to stop the process taskmgr.exe every 10 milliseconds.

Some variants of this ransomware family are downloaded by TrojanDownloader:W97M/Adnel. Such variants install malicious Win32/Drixed family variants (TrojanDownloader:Win32/Drixed.D and Backdoor:Win32/Drixed.C). 

Payload

Prevents you from using your PC

Win32/Urausy creates a new desktop named "Temprary" and switches to it, which prevents you from having access to the default desktop.

It displays a full-screen webpage that covers all other windows, rendering your PC unusable. The image is a fake warning pretending to be from a legitimate law-enforcement agency which demands the payment of a fine. The text changes depending on the location of your PC, as determined from your IP.

Paying the "fine" will not necessarily return your PC to a usable state.

If your PC has a webcam, Win32/Urausy takes a capture from it and saves the photo to %TEMP%\cam.bmp, which may be shown in the fake law-enforcement warning.

The following are examples of some of these warnings:

A warning pretending to be from the Agence nationale de la sécurité des systèmes d'information (ANSSI; the French Network and Information Security Agency)

A warning pretending to be from the Služba Kriminální Policie a Vyšetrování (the Police of the Czech Republic): 

A warning pretending to be from the United States FBI Department of Defense Cyber Crime Center: