The Urausy Trojan is a screenlocker that does not allow you to access your computer or your files without a paying a ransom. When infected with this Trojan instead of seeing your normal Windows desktop when you login, you will be greeted with a screen that states illegal activity was detected and that you have been locked out of your computer until you pay a fine. This infection will display different lock screens depending on what country your computer is currently located in. It is able to detect your country by using the IP address of your computer. This guide will focus on the USA variant of the Urausy Trojan, but the steps can be used for any variant of this ransomware.
Screenshot for the USA version of the Urausy Ransomware
For more screen shots of this infection click on the image above.
There are a total of 1 images you can view.
The text of the Urausy screenlocker pretending to be from the FBI is:
Department of Justice
Federal Bureau of Investigation
ATTENTION!
IP: xxx.xxx.xxx
Country: US United States
Region: <Your State>
City: <Your City>
ISP: <Your ISP>
Operating System: <Your Windows Version>: Your Country Here
Username: <Your Login Name>
Your PC is blocked due to at least one of the reasons specified below.You have been violation Copyright and Related Rights Law (Video, Music, Software) and illegally using or distributing copyrighted content, thus infringing Article I, Section 2, Clause 8, also known as the Copyright of the Criminal Code of United States of America.
Article I, Section 2, Clause 8 of the Criminal Code provides for a fine of 2 to 5 hundred minimal wages or a deprivation of liberty for 2 to 8years.
You have been viewing or distributing prohibited Pornographic content (Child Porno/ Zoofilia and etc). Thus violating article 202 of the Criminal Code of United States of America. Article 202 of the Criminal Code provides for a deprivation of liberty for 4 to 12 years.
Illegal access has been initiated from your PC without your knowledge or consent, your PC may be infected by malware, thus you are violating the law of Neglectful Use of Personal Computer. Article 210 of the Criminal Code provides for a fine of up to $100,000 and/or a deprivation of liberty for 4 to 9 years.
Pursuant to the amendment to the Criminal Code of United States of America of August 28, 2012, this law infringement (if it is not repeated - first time) may be considered as conditional in case you pay the fine to the State.
Fines may be paid within 72 hours after the infringement. As soon as 72 hours elapse, the possibility to pay the fine expires, and a criminal case is initiated against you automatically within the next 72 hours!
To unblock the computer, you must pay the fine through MoneyPak of $200.
Remember that this is a computer infection and that your computer has not actually been locked by the FBI or the Department of Justice. Therefore, ignore this screen and do not pay the ransom. Instead use the free removal guide below to remove the Urausy ransomware from your computer.
Threat Classification:
Advanced information:
View Urausy Trojan files.
View Urausy Trojan Registry Information.
Tools Needed for this fix:
Guide Updates:
01/31/13 - Initial guide creation
- For the first part of this removal guide you will need to use a different computer than the infected one as you will not be able to access your screen or the Internet from the infected computer.
- On a clean computer, start Internet Explorer or other web browser, and download and save the Emsisoft Emergency Kit to your desktop from the link below:
http://download1.emsisoft.com/EmsisoftEmergencyKit.zip
Please note that this is a large downloaded, so please be patient while it downloads. - When the file has finished downloading, please burn it on to a CD or save it to a USB drive so that we can transfer the file to the infected computer.
- When you have finished saving the Emergency Kit to a removable media, please reboot the infected computer. While the computer is starting please being to repeatedly tap the F8 key on your keyboard. This will open up the Advanced Boot Options screen, in Windows 7 or Vista, or theWindows Advanced Options Menu in Windows XP. The screen that you need to get to will look similar to the one below.At the above screen you will see a variety of options that can be used to boot Windows. Using the arrow keys on your keyboard, highlight the option labeled Safe Mode with Command Prompt. Once it is highlighted, click on the Enter key on your keyboard.
- Windows will now start and if you have multiple accounts or a password on your single account, you will be presented with a screen asking you to login to Windows. Please select your account and enter any password that you may have. When done, the Windows Command Prompt will open and you will see a screen similar to the one below.
The Command Prompt allows you to type commands and then press Enter on your keyboard to execute them. In this Command Prompt window, please type explorer.exe and then press Enter on your keyboard. - The Windows desktop will now appear. When the desktop appears you can then close the Command Prompt window by clicking on the X.
- Now insert your CD or USB drive and copy the EmsisoftEmergencyKit.zip that you download on your clean computer to the desktop of the infected one.
- Once the file has been copied, right click on the EmsisoftEmergencyKit.zip and select the Extract menu option. This will start the Windows compressed file extraction wizard. Follow the steps to extract the file and the Emergency Kit will be extracted to a folder calledEmsisoftEmergencyKit on your desktop. Please double-click on the EmsisoftEmergencyKit folder to open it.
- When the folder is open, double-click on the Start.exe button to launch the Emsisoft Emergency Kit. You will now be presented with a screen similar to the following:
Please click on the Emergency Kit Scanner option. When you click on this option, if you see a Windows message asking if you would like EmergencyScanner.bat to run, please allow it to do so by clicking on the Run or Yes buttons. - You will now be shown an update screen prompting you to check for an update.
Please click on the NO button as you will not be able to update the program while in Safe Mode with Command Prompt. - You will now be at the main screen for the Emsisoft Emergency Kit as shown below.
Now click on the Scan PC option in the left hand navigation menu. - You will now be at the Scan PC screen as shown below.
Select the Deep Scan option if it is not selected and then click on the Scan button to start scanning your computer. - When the Emsisoft Emergency Kit is finished scanning your computer, you may be presented with an alert box stating that you have a high-risk infection. If you see this alert, please click on the Close button and you should now be at the scan results screen as shown in the image below.
Click on the Quarantine Selected Objects button, which will remove the infections and place them in the program's quarantine. You can now close the Emsisoft Emergency Kit program. - Please reboot your computer into the normal Windows mode and when you are back at your normal Windows desktop please continue with the next step.
- As this infection is known to exploit vulnerabilities in out-dated and insecure programs, it is strongly suggested that you use Secunia PSI to scan for vulnerable programs on your computer. A tutorial on how to use Secunia PSI to scan for vulnerable programs can be found here:
How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector
Your computer should now be free of the Urausy FBI Ransomware infection. If your current anti-virus solution let this infection through, you may want to consider purchasing the full version of Emsisoft Anti-malware to protect your computer against these types of threats in the future.
If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:
Associated Urausy Trojan Files:
%AppData%\skype.datFile Location Notes:
%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\<Current User>\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\<Current User>\AppData\Roaming.
Associated Urausy Trojan Windows Registry Information:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,%AppData%\skype.dat"
This is a self-help guide. Use at your own risk.
BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can ask for malware removal assistance in our Virus, Trojan, Spyware, and Malware Removal Logs forum.
If you have any questions about this self-help guide then please post those questions in our Am I infected? What do I do? and someone will help you.
No comments:
Post a Comment