Ukash Virus

Ukash Virus Description

Ukash Virus Image 1The so-called Ukash Virus is a ransomware Trojan that receives its name because Ukash Virus requires that its victims use Ukash (a legitimate money transfer service) to transfer the ransom funds. This dangerous Trojan infection is composed of a Winlocker component that basically blocks access to the infected computer system, disabling access to the infected computer system's desktop, Task Manager, command line, Registry Editor and other services and applications. There are countless variants of the Ukash Virus, designed to target various different countries in Europe and North America. ESG malware analysts strongly advise against paying the ransom that this malware infection tries to extort from its victims. Instead, variants of the Ukash Virus should be removed with the help of a reliable anti-malware application.

The Ukash Virus is characterized by its use of official police logos and threatening language in order to convince its victims that Ukash Virus is in fact a message displayed by the targeted country's police force. Although the Ukash Virus appears to have originated in the Russian Federation, its main targets are the various European countries. There are dozens of variants of the Ukash Virus, each targeting a specific country. Some examples of country-specific variants of the Ukash Virus include the Scotland Yards Ukash Virus, the Metropolitan Police Ukash Virus and the Strathclyde Police Ukash Virus (all three targeting computer systems in the United Kingdom), or the Fake Federal German Police (BKA) Notice and the 'Die offizielle Mitteilung des Bundeskriminalamtes' fake message infection (both targeting computer systems in Germany). Variants of the Ukash Virus have been spotted for most countries in Europe, including Spain, Italy, France, The Netherlands and Belgium.

Once the Ukash Virus infects the victim's computer, Ukash Virus will block access to the infected computer's files and applications, and instead displaying a large message that fills up the victim's screen. This message will be written in the language of the targeted computer system (whose location is probably detected through its IP address) and contain logos of a law enforcement agency belonging to the targeted computer system's country. For example, variants of the Ukash Virus targeting computer systems in the United States will display fake warning messages from the FBI. This message will claim that the victim's computer system was involved in illegal activities, such as downloading child pornography. In this message, Ukash Virus variants will threaten the victim with deletion of their data and prosecution unless they pay a fine using either the Ukash or the PaySafeCard money transfer service.

Aliases: Pakes2_c.NRL [AVG], W32/Foreign.AOV!tr [Fortinet], Ransom:Win32/Urausy.E [Microsoft], TR/Urausy.230400, Troj/Ransom-AOV [Sophos], Trojan.Winlock.11647 [DrWeb], Gen:Variant.Kazy.515679 (B), Trojan-Ransom.Win32.Foreign.lhds [Kaspersky], Win32:Hoblig-B [Heur] [Avast], TROJ_GEN.R047H09LD14, Trojan ( 004b24781 ) [K7AntiVirus], RDN/Suspicious.bfr!bh [McAfee], Gen:Variant.Kazy.515679, Trojan.Win32.Tracur.BAM and Downloader.Generic14.DSF [AVG].

Technical Information

File System Details

Ukash Virus creates the following file(s):
# File Name Size MD5 Detection Count
1 %APPDATA%\Microsoft\Windows\Templates\securitywindrv.exe 34,816 0da8705f12382804c87d20ee58a4674c 24
2 %APPDATA%Other.res 70,656 2122654109b372638bca24f780ea1921 9
3 %ALLUSERSPROFILE%bf8h8d02hf.exe 315,904 1cbe49c0ebbeefbbe9f1c1fda9eebbe6 8
4 %APPDATA%\EPSON\WINDED6.exe 126,464 77c854a9e5b39829d2ffc15767106ad9 4
5 %LOCALAPPDATA%\Deployment\xctqakcqbeo.dll 256,000 bc5906995084024aeab23bdccd0d689f 4
6 %ALLUSERSPROFILE%hwj3ba6j.dss 176,640 54f1a99f7cb18ed47756bb22e1681766 3
7 %LOCALAPPDATA%\DVD Decrypter\DVD Decrypter.pif 157,184 feeebe883be3f5fe11a8033fb461ba55 2
8 %ALLUSERSPROFILE%dxrqfya.exe 57,344 85f908a5bd0ada2d72d138e038aecc7d 2
9 %SystemDrive%\Users\PP.WALSTEDARK\AppData\Local\Temp\xaZYOVJW.exe 133,632 4382872727fc8c0996fa315c599ecdf0 2
10 %ALLUSERSPROFILE%dqnbdq7.dss 175,616 6514a485b26fcca011121f42f188d3b2 2
11 %ALLUSERSPROFILE%\ActiveU0\bzsbkotiu.exe 233,472 35180a38939fe1b4368d804ae25e5a57 2
12 %ALLUSERSPROFILE%\Data aplikac?\wjthvwjb.dss 221,184 9f2da2fd4fe9713d74acf0eb8fad8dc3 2
13 %WINDIR%ctfmon.exe 9,216 d6d5126353edcb1f91aa210c3742de01 2
14 %ALLUSERSPROFILE%\CreativeAudio0\ubvhynpxh.exe 223,744 3679444e7921794b3754ffb8ca80916b 2
15 %USERPROFILE%\Local Settings\Temp\msavfit.exe 158,208 9f5e6c75851b2ee4b10e3e3b783d10b7 2
16 %WINDIR%\system32\audipbrd.exe 347,648 6ea827e7f4d182b0cb538cb5048bbdb2 2
17 %SystemDrive%\Users\Guest\AppData\Local\Temp\vE0f7hC.exe 122,368 9ae84c87978d6009950e02256cacfd4e 1
18 %ALLUSERSPROFILE%a6j2rftb.dss 207,360 3113b50a73f66c90d9f9b82555ba5ddd 1
19 %ALLUSERSPROFILE%\Data aplikac?\ilwfjrrfrf.dss 221,184 c5792b3e01620c4d64a62617cc9cac29 1
20 %ALLUSERSPROFILE%r90lwlww.dss 208,896 dbc66a280086ab3c23c2dca7b49fa96c 1
21 %ALLUSERSPROFILE%lwo8z8rcl.dss 204,800 496fea09b09d07f7b3a9d3834229702f 1
22 %ALLUSERSPROFILE%qmi6jdowjr.dss 211,456 ff6d455877d0eeb73a6c76a45d2b6ac7 1
23 %AppData%\[RANDOM CHARACTERS].exe N/A
25 bunk.exe 61,440 bb29ba1cad79dcb26c986ecc92d76b4e 0
26 kyuba.exe 317,952 15945e4dca232d306363340b1a53f21b 0
27 MSPAINT.EXE 209,408 d3448fb158b500704144fd75ec94c189 0
28 C:\ProgramData\F5753306.cpp 241,848 12f3c8bc428f4e2c2b547cc20ac6db87 0
More files

Registry Details

Ukash Virus creates the following registry entry or registry entries:
Regexp file mask
%AllUsersProfile%\Local Settings\Temp\[RANDOM CHARACTERS].pif

Related Posts

Site Disclaimer is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.

One Comment

  • Rhys Hunt:

    Hi, i would like to know how to get rid of the Ukash virus from a sony c1505

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.

HTML is not allowed.