Win32/Reveton [Threat Name] go to Threat

Win32/Reveton.A [Threat Variant Name]

Category trojan
Size 203776 B
Detection created Dec 25, 2011
Signature database version 6741
Aliases Trojan-Dropper.Win32.Injector.btki (Kaspersky)
  Trojan.Gen (Symantec)
Short description

Win32/Reveton.A is a trojan that blocks access to the Windows operating system. To regain access to the operating system the user is asked to fill in sensitive information. The trojan is usually a part of other malware. The file is run-time compressed using UPX .

Installation

The trojan does not create any copies of itself.


The trojan executes the following files:

  • notepad.exe
  • iexplore.exe
  • rundll32.exe

The trojan creates and runs a new thread with its own program code within the following processes:

  • notepad.exe
  • iexplore.exe
  • rundll32.exe

In order to be executed on every system start, the trojan creates the following file:

  • %startup%\­%malwarefilename%.lnk

The file is a shortcut to a malicious file.


The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableTaskMgr" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "NoProtectedModeBanner" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­0]
    • "1609" = 0
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­1]
    • "1609" = 0
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­2]
    • "1609" = 0
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "1609" = 0
    • "2500" = 3
Payload information

The Win32/Reveton.A can block access to operating system.


The trojan displays the following fake dialog boxes:

To regain access to the operating system the user is asked to fill in sensitive information.

Other information

The following programs are terminated:

  • taskmgr.exe

The trojan contains an URL address. It tries to download a file from the address.


The downloaded files contain encrypted executables. The files are then executed.


The trojan opens the following URLs in Internet Explorer :

  • http://77.%removed%.%removed%.124/

Please enable Javascript to ensure correct displaying of this content and refresh this page.