Home / malwarePDF  

Trojan:Win32/Reveton.N


First posted on 04 January 2013.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Reveton.N.

Explanation :



Installation

Trojan:Win32/Reveton.N is usually in your computer as a DLL file in either the %AppData% or %Temp% folder. The file name it uses is random, and either ends with .TMP or .DLL, for example, "!d2.tmp", "!d7.tmp", or "wpbt0.dll".

It also creates a shortcut file pointing to the DLL file, enabling the DLL file to load every time the computer starts:

<startup folder>\runctf.lnk - detected as Trojan:Win32/Reveton!lnk

It also creates the following file:

%AppData%\<reverse of file name>.pad

For example, if the file name is "!d2.tmp", then this file would be "2d!.pad".

It uses this file for its payload routine.



Payload

Prevents you from accessing the desktop

Trojan:Win32/Reveton.N displays a full-screen webpage that covers all other windows. The webpage may vary depending on your geographical location. To check which country your computer is located, Trojan:Win32/Reveton.N first connects to a remote server to your computer via port 443 or 80. Some of the servers it is known to connect to are:

  • 146.185.255.219
  • 31.44.184.134
  • 64.191.5.37
  • 66.197.250.229


Once connected, the remote server sends back data that is saved as the PAD file. This data is later decrypted, and contains the displayed webpage.

The webpages may appear similar to the following:

Webpage supposedly from the Australian Federal Police (AFP)



Webpage supposedly from the Canadian Police Cyber Crime Department



Webpage supposedly from the Dutch police



Webpage supposedly from the Spanish police



Webpage supposedly from the Swiss police



Webpage supposedly from the British Police Central e-crime Unit



Webpage supposedly from the US Department of Justice



Changes Internet Explorer settings

Trojan:Win32/Reveton.N modifies your Internet Explorer settings by creating the following registry entries:

Does not display the protected mode banner in Internet Explorer:

In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: "NoProtectedModeBanner"
With data: "dword:00000001"

Allows mixed content to display in Internet Explorer:

In subkeys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Sets value: "1609"
With data: "dword:00000000"

Turns off Protected Mode:

In subkeys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Sets value: "2500"
With data: "dword:00000003"

Stops processes from running

Trojan:Win32/Reveton.N stops the Task Manager process, "taskmgr.exe", from running.



Analysis by Ricardo Robielos

Last update 04 January 2013

 

TOP