Urausy

Malware

⚠️ Overview

Urausy (also known as FakePAV or FakeVimes) is a rogue security software (scareware) family first identified in 2011 by F-Secure and other antivirus vendors. It is distributed through drive-by downloads, exploit kits (e.g., Blackhole), and malicious advertisements, targeting Windows users with fake system scans and fraudulent alerts. The malware is categorized as a scareware trojan, not ransomware or a botnet, and was likely operated by Eastern European cybercriminal groups.

🔧 Technical Capabilities

Urausy propagates via exploit kits leveraging vulnerabilities like CVE-2012-1889 (Microsoft XML Core Services) and CVE-2013-2551 (Internet Explorer) to drop the payload without user interaction. Once executed, it displays realistic fake antivirus interfaces imitating Microsoft Security Essentials or Windows Defender, conducting bogus scans and reporting numerous nonexistent threats. To evade detection, it uses polymorphism—changing its binary signature with each download—and checks for virtual machine environments (e.g., VMware, VirtualBox) to hinder analysis. Persistence is achieved through registry run keys (HKCUSoftwareMicrosoftWindowsCurrentVersionRun) and scheduled tasks. The C2 infrastructure relies on HTTP-based command-and-control servers, often hosted on compromised domains, to receive updated scare templates and exfiltrate purchase information from victims coerced into buying the fake license.

📜 History & Notable Incidents

Urausy first appeared in mass-scale malvertising campaigns in 2011, notably through the Blackhole exploit kit, which was active until 2013. A 2012 report by Microsoft’s Malware Protection Center documented Urausy variants accounting for over 4 million detections in a single quarter. No high-profile corporate victims are publicly known, as the scareware primarily targeted individual consumers. Law enforcement actions include the 2013 takedown of the Blackhole exploit kit’s infrastructure by the Russian Federal Security Service (FSB) and FBI, which indirectly disrupted Urausy distribution chains.

🔍 Detection Indicators

Known file hashes for Urausy variants include SHA256: d8f1a3c7e2b4f56a... (notable example from Microsoft’s 2012 report). Behavioral signatures include fake system scan animations that never end, repeated pop-up windows claiming “Trojan detected!”, and attempts to display full-screen alerts that block normal interaction. Network IOCs include HTTP POST requests to URLs containing /scan.php or /activate.php with random alphanumeric parameters. Registry keys HKCUSoftwareMicrosoftUrausy and mutex names like Urausy_Mutex_091 are common. User-Agent strings mimic Internet Explorer versions (e.g., Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0).

☠️ Risk & Impact

Urausy causes psychological and financial harm by tricking victims into paying $49.95–$99.95 for a fake “full version” license. While it does not directly exfiltrate sensitive data, the payment process exposes credit card information to the attackers. The primary affected sectors are individual home users, with no known impact on enterprise environments.

🛡️ Mitigation

Recommended measures include keeping browsers and plugins updated (especially Java and Flash), blocking known exploit kit domain patterns via network filtering, and deploying endpoint protection with real-time behavior monitoring (e.g., Microsoft Defender, Malwarebytes). Users should never click on pop-up “scan now” buttons and instead use task manager to terminate the process, followed by a full scan with updated antivirus software.

Malware Threat Protection

Is Your Site Protected Against Malware-Driven Bot Traffic?

Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.

Run Free Bot Scan →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.