Home / malware Trojan:Win32/Reveton.F
First posted on 10 September 2012.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Reveton.F.
Explanation :
Trojan:Win32/Reveton.F is a member of the Reveton family of ransomware trojans that targets users from certain countries. The trojan locks your computer and displays a localized webpage that covers your desktop, and demands the payment of a fine for the supposed possession of illicit material.
Installation
Typically, Trojan:Win32/Reveton.F is installed as a result of a drive-by download attack, for example, performed by an exploit pack, or you may encounter it if you visit a compromised webpage.
When it runs on your computer, the trojan creates the following shortcut file in the Windows startup folder to ensure the trojan loads every time you log on:
%USERPROFILE%\Start Menu\Programs\StartUp\ctfmon.lnk - may be detected as Trojan:Win32/Reveton!lnk
It injects code into various processes, including the following, possibly in an effort to avoid detection:
- chrome.exe
- firefox.exe
- iexplore.exe
- opera.exe
Injecting code into the above processes allows the trojan to bypass firewalls, which can then allow it to perform a series of network queries.
Payload
Prevents the user from accessing the desktop
Trojan:Win32/Reveton.F displays a full-screen webpage that covers all other windows, rendering the computer unusable. The image may be a fake warning pretending to be from Digital Millenium Copyright Act, demanding payment of a fine.
Paying the 'fine' will not necessarily return your computer to a usable state, so this is not advisable.
The trojan may display a webpage similar to the following; note that the examples below are displayed by another Reveton variant:
Modifies browser settings
Reveton.F modifies Internet Explorer settings by making a number of registry modifications; for example, it may:
- Lower the Internet Explorer security settings.
- Lower Internet zones security settings:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
Sets value: "1609"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Sets value: "1609"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Sets value: "1609"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: "1609"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Sets value: "1609"
With data: "0"- Disable Internet Explorer security warnings:
In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: "NoProtectedModeBanner"
With data: "1"
In subkey: HKCU\Software\Microsoft\Internet Explorer\Toolbar
Sets value: "Locked"
With data: "1"
Contacts remote hosts
Trojan:Win32/Reveton.F contacts remote hosts to download the webpage it displays to cover your desktop, and to download other malware components.
For more information about the additional malware components it downloads, see the Additional information section below.
The trojan attempts to contact up to three of the following remote hosts, every 55 seconds:
- 146.185.218.52
- 146.185.255.194
- 194.50.116.25
- 195.191.56.194
- 208.91.197.193
- 82.192.88.13
- whatwillber.com
Terminates processes
If the trojan detects Task Manager running on your computer, it will terminate its process; it may do this to hinder detection.
Additional information
Depending on the server response, Trojan:Win32/Reveton.F can download and execute customized DLL payloads, such as Lock.dll and FileMem.dll.
Lock.dll displays the fraudulent message similar to those shown in the images above.
FileMem.dll is an additional, "paired" trojan component, which is downloaded, decrypted and executed by Trojan:Win32/Reveton.F right after loading Lock.dll. This component may perform different payloads, for example, in the wild, we have observed this component performing data-stealing payloads.
Analysis by Sergey Chernyshev
Last update 10 September 2012
