Home / malware Trojan:Win32/Reveton.N
First posted on 04 January 2013.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Reveton.N.
Explanation :
Installation
Trojan:Win32/Reveton.N is usually in your computer as a DLL file in either the %AppData% or %Temp% folder. The file name it uses is random, and either ends with .TMP or .DLL, for example, "!d2.tmp", "!d7.tmp", or "wpbt0.dll".
It also creates a shortcut file pointing to the DLL file, enabling the DLL file to load every time the computer starts:
<startup folder>\runctf.lnk - detected as Trojan:Win32/Reveton!lnk
It also creates the following file:
%AppData%\<reverse of file name>.pad
For example, if the file name is "!d2.tmp", then this file would be "2d!.pad".
It uses this file for its payload routine.
Payload
Prevents you from accessing the desktop
Trojan:Win32/Reveton.N displays a full-screen webpage that covers all other windows. The webpage may vary depending on your geographical location. To check which country your computer is located, Trojan:Win32/Reveton.N first connects to a remote server to your computer via port 443 or 80. Some of the servers it is known to connect to are:
- 146.185.255.219
- 31.44.184.134
- 64.191.5.37
- 66.197.250.229
Once connected, the remote server sends back data that is saved as the PAD file. This data is later decrypted, and contains the displayed webpage.
The webpages may appear similar to the following:
Webpage supposedly from the Australian Federal Police (AFP)
Webpage supposedly from the Canadian Police Cyber Crime Department
Webpage supposedly from the Dutch police
Webpage supposedly from the Spanish police
Webpage supposedly from the Swiss police
Webpage supposedly from the British Police Central e-crime Unit
Webpage supposedly from the US Department of Justice
Changes Internet Explorer settings
Trojan:Win32/Reveton.N modifies your Internet Explorer settings by creating the following registry entries:
Does not display the protected mode banner in Internet Explorer:
In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: "NoProtectedModeBanner"
With data: "dword:00000001"
Allows mixed content to display in Internet Explorer:
In subkeys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Sets value: "1609"
With data: "dword:00000000"
Turns off Protected Mode:
In subkeys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Sets value: "2500"
With data: "dword:00000003"
Stops processes from running
Trojan:Win32/Reveton.N stops the Task Manager process, "taskmgr.exe", from running.
Analysis by Ricardo Robielos
Last update 04 January 2013