Home / malwarePDF  

Trojan:Win32/Reveton


First posted on 11 September 2012.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Reveton.

Explanation :



Trojan:Win32/Reveton is a family of ransomware that targets users from certain countries. It locks your computer and displays a localized webpage that covers your desktop and demands the payment of a fine for the supposed possession of illicit material.



Installation

When run, some variants of Trojan:Win32/Reveton copy themselves to your computer using the following naming scheme:

%ALLUSERSPROFILE%\Application Data\<reverse string of the filename>.<reverse string of extension name>

for example, if the original file name is "malware.dll", the copy's name is "erawlam.lld".

Note: %ALLUSERSPROFILE% refers to a variable location that is determined by the malware by querying the operating system. The default location for the All Users Profile folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\All Users\Application Data". For Windows Vista and 7, the default location is "C:\ProgramData\Application Data".

Some variants of Trojan:Win32/Reveton create the following shortcut file in the Windows startup folder to ensure the trojan loads every time you log on:

<startup folder>\ctfmon.lnk, detected as Trojan:Win32/Reveton!lnk

Note: <startup folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Startup folder for Windows 2000, XP, and 2003 is "%USERPROFILE%\Start Menu\Programs\Startup". For Windows Vista and 7, the default location is "%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup".

Manually clicking the shortcut will also run the trojan.

In some older variants of Trojan:Win32/Reveton, the trojan creates a shortcut file with the file name "<random file name>.dll.lnk".

Payload

Prevents you from accessing your desktop

As part of its payload, Trojan:Win32/Reveton displays a full-screen webpage that covers all other windows, rendering the computer unusable. The image is a fake warning pretending to be from a legitimate institution which demands the payment of a fine.

Paying the "fine" will not necessarily return your computer to a usable state, so this is not advisable.

Some examples of localized images that variants of Trojan:Win32/Reveton may display are reproduced here.

An image pretending to be from New Scotland Yard, Metropolitan Police and Strathclyde Police:



An image pretending to be from the Bundespolizei, or German Federal Police, National Cyber Crimes Unit:



An image pretending to be from the Federal Bureau of Investigation, or FBI:





An image pretending to be from the Computer Crime & Intellectual Property Section of the United States Department of Justice:



An image pretending to be from the Cuerpro Nacional De Policia, or National Police Corps of Spain:



An image pretending to be from the Guardia di Finanza, or Italian Financial Guard:



Downloads and runs other malware components

Trojan:Win32/Reveton can download and run customized DLL payloads, such as the following:

  • "Lock.dll", which the trojan injects into browser process, including the following, to display the fraudulent message:
    • chrome.exe
    • firefox.exe
    • iexplore.exe
    • opera.exe
  • "FileMem.dll", which is an encrypted file that may perform different payloads, including information-stealing routines, and may be detected as PWS:Win32/Reveton.


It may load these files into memory, rather than downloading them to a specific location on your computer.

In the wild, we have observed variants of Trojan:Win32/Reveton downloading these DLL files, images and other bundled malware from the following IP addresses, using port 80 or 443:

  • 146.185.218.52
  • 146.185.255.194
  • 195.191.56.194
  • 195.208.185.33
  • 213.152.172.101
  • 58.107.26.174
  • 82.192.88.13
  • 85.143.166.132
  • 85.143.166.136
  • whatwillber.com
  • willber.com


Modifies Internet browser settings

Some variants of Trojan:Win32/Reveton may modify Internet Explorer settings by making a number of registry modifications.

Disable Internet Explorer security warnings:

In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: "NoProtectedModeBanner"
With data: "1"

Lock the Internet Explorer toolbar:

In subkey: HKCU\Software\Microsoft\Internet Explorer\Toolbar
Sets value: "Locked"
With data: "1"

Lower Internet zone security settings:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
Sets value: "1609"
With data: "0"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Sets value: "1609"
With data: "0"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Sets value: "1609"
With data: "0"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: "1609"
With data: "0"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Sets value: "1609"
With data: "0"

Modifies system settings

Some variants may disable Task Manager by making the following registry modification:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableTaskMgr"
With data: "1"

Terminates processes

To prevent you from terminating the malware process, some variants of Trojan:Win32/Reveton may terminate the process "taskmgr.exe" as soon as it is run.

Related encyclopedia entries

Trojan:Win32/Reveton!lnk

PWS:Win32/Reveton



Analysis by Edgardo Diaz

Last update 11 September 2012

 

TOP

Malware :