Home / malwarePDF  

Trojan:Win32/Reveton.A


First posted on 02 February 2012.
Source: Microsoft

Aliases :

Trojan:Win32/Reveton.A is also known as Trojan.Win32.Reveton (Ikarus), Mal/Reveton-B (Sophos).

Explanation :

Trojan:Win32/Reveton.A is a ransomware that targets users from certain countries, similar to Trojan:Win32/Ransom.FL. Trojan:Win32/Reveton.A locks the computer and, depending on the user's current location, displays a localized webpage that covers the entire desktop of the infected computer and demands payment for the supposed possession of illicit material.


Top

Trojan:Win32/Reveton.A is a ransomware that targets users from certain countries, similar to Trojan:Win32/Ransom.FL. Trojan:Win32/Reveton.A locks the computer and, depending on the user's current location, displays a localized webpage that covers the entire desktop of the infected computer and demands payment for the supposed possession of illicit material.



Installation

Trojan:Win32/Reveton.A arrives as a DLL file with a random name. It creates a shortcut file to itself in the Windows startup folder; the shortcut file name is the same name as the DLL file but with the LNK extension.

When Windows starts, it executes the command associated with the shortcut, as follows:

rundll32.exe <path>\<file name>.dll, <random exported name>



Payload

Prevents the user from accessing the desktop

When run, Trojan:Win32/Reveton.A displays a full-screen webpage that covers all other windows, rendering the computer effectively unusable. The image is a fake warning pretending to be from a legitimate institution. It demands the payment of a supposed fine. However, even if the user pays, the computer is still left unusable.

The images may appear as the following:









Downloads and executes other malware

Trojan:Win32/Reveton.A downloads and executes other malware, detected as PWS:Win32/Reveton.A.

Connects to remote servers

Trojan:Win32/Reveton.A has been seen to download the images and other bundled malware from the following IP addresses:

  • 176.<removed>5.1<removed>3.18
  • 62.7<removed>.17<removed>.232
  • 62.7<removed>.19<removed>.93
  • 77.7<removed>.12<removed>.124
  • 83.6<removed>.23<removed>.121
  • 91.2<removed>7.1<removed>.34
  • 95.5<removed>.12<removed>.108
  • 95.5<removed>.12<removed>.219




Analysis by Sergey Chernyshev

Last update 02 February 2012

 

TOP

Malware :

Family: