Home / malware Trojan:Win32/Reveton.Q
First posted on 21 February 2013.
Source: MicrosoftAliases :
Trojan:Win32/Reveton.Q is also known as FBI police (other), GreenDot MoneyPak (other), Win32/Kryptik.AUOI (ESET), TR/Reveton.Q.100 (Avira), Trojan.Win32.Reveton (Ikarus).
Explanation :
Installation
Trojan:Win32/Reveton.Q may be installed on your computer by an executable file (EXE) that is also detected as Trojan:Win32/Reveton.Q. The file name of the EXE file is random, for example "5e43yher4t5syh6j.exe".
When run, the executable file drops and runs Trojan:Win32/Reveton.Q as a DLL file into any of the following folders:
- %ALLUSERSPROFILE%\Application Data\
- %TEMP%
Notes:
- %ALLUSERSPROFILE% refers to a variable location that is determined by the malware by querying the operating system. The default location for the All Users Profile folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\All Users". For Windows Vista, 7, and 8, the default location is "C:\ProgramData".
- %TEMP% refers to a variable location that is determined by the malware by querying the operating system. The default location for the All Users Profile folder for Windows 2000, XP, and 2003 is "C:\DOCUME~1\<user>\LOCALS~1\Temp". For Windows Vista, 7 and 8, the default location is "C:\Users\<user name>\AppData\Local\Temp".
The file name is random, for example "about_1.dll" or "wpbt0.dll".
The DLL file may also be injected into any of the following Internet browser processes, possibly in an effort to avoid detection:
- CHROME.EXE
- FIREFOX.EXE
- IESTART.EXE
- IEXPLORE.EXE
- OPERA.EXE
The DLL also creates the following files:
- %APPDATA%\<random>.pad - this file will contain the lock screen payload
- %APPDATA%\<random>.js - this JavaScript file runs the trojan, and is detected as Trojan:JS/Reveton.A
where <random> is a reverse of the DLL's file name. For example, if the DLL's file name is "wpbt0.dll", then these files would be "0tbpw.js" and "0tbpw.pad".
Trojan:Win32/Reveton.Q creates the following shortcut file in the Windows startup folder to ensure the trojan loads every time you log on:
- <startup folder>\runctf.lnk
This file is detected as Trojan:Win32/Reveton!lnk.
Note: <startup folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Startup folder for Windows 2000, XP, and 2003 is "%USERPROFILE%\Start Menu\Programs\Startup". For Windows Vista and 7, the default location is "%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup".
Manually clicking the shortcut will also run the trojan.
Payload
Prevents you from accessing your desktop
When run, Trojan:Win32/Reveton.Q displays a full-screen message that covers all other windows, rendering your computer unusable (this full-screen message is also known as a "lock screen"). The message is a fake warning pretending to be from a legitimate institution, and may change depending on the country your computer is located in.
The message demands the payment of a fine for the supposed possession of illicit material.
Paying the "fine" will not necessarily return your computer to a usable state, so this is not advisable.
The screen may appear similar to the following, which is pretending to be from the US Immigration and Customs Enforcement (ICE) Cyber Crimes Center at the US Department of Homeland Security:
In the wild, we have observed Trojan:Win32/Reveton.Q downloading the lock screen messages and determining the location of your computer from the following URLs:
- 37.139.53.<removed>
- 66.197.217.<removed>
- 93.171.<removed>
- bladyschka.com
Modifies browser settings
Trojan:Win32/Reveton.Q also modifies Internet Explorer settings by making a number of registry modifications.
It disables Internet Explorer security warnings:
In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: "NoProtectedModeBanner"
With data: "1"
It lowers Internet zone security settings:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
Sets value: "1609"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Sets value: "1609"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Sets value: "1609"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: "1609"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Sets value: "1609"
With data: "0"
Terminates processes
To prevent you from terminating the malware process or undoing its changes to the registry, Trojan:Win32/Reveton.Q may terminate the processes "taskmgr.exe" and "regedit.exe".
Additional information
We have observed Trojan:Win32/Reveton.Q using a variety of legitimate payment and financial transfer services, including the following:
- Green Dot MoneyPak
- MoneyGram
Note: These providers are not affiliated with Trojan:Win32/Reveton.
If you believe you are a victim of fraud involving one of these services, you should contact them, along with your local authorities.
Related encyclopedia entries
Trojan:JS/Reveton.A
Trojan:Win32/Reveton
Trojan:Win32/Reveton!lnk
Analysis by Marianne Mallen
Last update 21 February 2013