Home / malwarePDF  

Trojan:Win32/Reveton.C


First posted on 26 July 2012.
Source: Microsoft

Aliases :

Trojan:Win32/Reveton.C is also known as Packed.Win32.Krap.iu (Kaspersky), TR/Kazy.79032.1 (Avira), Win32/Reveton.H trojan (ESET), Trojan.Win32.Reveton (Ikarus), TROJ_RANSOM.SMAC (Trend Micro).

Explanation :



Trojan:Win32/Reveton.C is a trojan that modifies Internet Explorer settings and connects to certain servers.



Installation

When run, Trojan:Win32/Reveton.C copies itself to your computer using the following naming scheme:

<startup folder>\<reverse of the file name>.<reverse of extension>

for example, if the original file name is "malware.dll", the copy's name is "erawlam.lld".

Note: <startup folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Startup folder for Windows XP, and 2003 is '%USERPROFILE%\Start Menu\Programs\Startup'. For Windows Vista and 7, the default location is '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'.

It injects code into various processes, including the following, to prevent it from being detected and removed:

  • chrome.exe
  • firefox.exe
  • iexplore.exe
  • opera.exe


Trojan:Win32/Reveton.C creates the following shortcut file, which leads to its copy:

<startup folder>\ctfmon.lnk



Payload

Modifies browser settings

Trojan:Win32/Reveton.C modifies Internet Explorer settings by modifying the following registry entries:

Disables the "Protected mode is currently turned off for the Internet zone" message in Internet Explorer:
In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: "NoProtectedModeBanner"
With data: "1"

Locks the toolbar for Internet Explorer:
In subkey: HKCU\Software\Microsoft\Internet Explorer\Toolbar
Sets value: "Locked"
With data: "1"

Contacts remote hosts

Trojan:Win32/Reveton.C may contact the following servers using port 80 or 443:

  • 213.152.172.101
  • willber.com


Commonly, malware may contact a remote host for the following purposes:

  • To confirm Internet connectivity
  • To report a new infection to its author
  • To receive configuration data or other data
  • To download and execute arbitrary files (including updates or additional malware)
  • To receive instruction from a remote attacker
  • To upload data taken from the affected computer




Analysis by Edgardo Diaz

Last update 26 July 2012

 

TOP

Malware :

Family: