Home / malwarePDF  

Trojan:Win32/Reveton.P


First posted on 29 January 2013.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Reveton.P.

Explanation :



Trojan:Win32/Reveton.P is a ransomware trojan that targets users from certain countries. It locks your computer and displays a localized webpage that covers your desktop and demands the payment of a fine for the supposed violation of a law.



Installation

Trojan:Win32/Reveton.P is usually installed as a result of a drive-by download attack, for example, performed by an exploit pack. Once the trojan is executed on a vulnerable computer, it creates a Windows shortcut file (.LNK) in the following folder, so that it runs when you start Windows:

%USERPROFILE%\Start Menu\Programs\StartUp\runctf.lnk - which may be detected as Trojan:Win32/Reveton!lnk

As part of its installation process, it also creates the following files:

  • %APPDATA%\<random>.pad
  • %APPDATA%\<random>.js


where <random> is a string inversion from the original file name the DLL is stored under.



Payload

Prevents you from accessing your desktop

As part of its payload, Trojan:Win32/Reveton.P displays a full-screen webpage that covers all other windows, rendering the computer unusable. The image is a fake warning pretending to be from a legitimate institution which demands the payment of a fine.

Paying the "fine" will not necessarily return your computer to a usable state, so this is not advisable.

You can see some examples of the cover pages other Trojan:Win32/Reveton variants use in the family description.

Attempts to bypass firewalls

Trojan:Win32/Reveton.P injects code into various processes, including the following, in an effort to bypass firewalls:

  • chrome.exe
  • firefox.exe
  • iexplore.exe
  • opera.exe


Bypassing firewalls may allow it to perform any number of actions on your computer, including, but not limited to, downloading and uploading files.

Contacts remote hosts

The trojan contacts the following remote hosts to download the webpage it displays to cover your desktop, and to download other malware components:

  • 146.185.255.219
  • 31.44.184.134
  • 31.44.184.55


Terminates processes

If the trojan detects Task Manager running on your computer, it will terminate its process; it may do this to hinder detection.



Analysis by Daniel Radu

Last update 29 January 2013

 

TOP

Malware :

Family: