Win32/Reveton [Threat Name] go to Threat

Win32/Reveton.AJ [Threat Variant Name]

Category trojan
Size 144384 B
Detection created May 21, 2014
Detection database version 10001
Aliases Trojan.Win32.Yakes.fhck (Kaspersky)
Short description

Win32/Reveton.AJ is a trojan which tries to download other malware from the Internet. The trojan is probably a part of other malware. The file is run-time compressed using UPX .

Installation

When executed, the trojan copies itself into the following location:

  • %commonappdata%\­%variable1%\­%variable2%.cpp

A string with variable content is used instead of %variable1-2% .


The trojan creates the following file:

  • %startup%\­autostart.lnk

The file is a shortcut to a malicious file.


This causes the trojan to be executed on every system start.


The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­Winmgmt\­Parameters]
    • "ServiceDll" = "%commonappdata%\­%variable1%\­%variable2%.cpp"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion]
    • "ACID" = "U000002"

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe
Other information

The trojan tries to download a file from the Internet. The file is then executed.


The trojan contains a list of (2) URLs. The HTTPS protocol is used.


The trojan keeps various information in the following Registry key:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­%variable%]

A string with variable content is used instead of %variable% .


The trojan may perform operating system restart.


The trojan may execute the following commands:

  • %windir%\­system32\­rundll32.exe %malwarefilepath%,work
  • %windir%\­system32\­rundll32.exe %malwarefilepath%.cpp,work2
  • %windir%\­system32\­regsvr32.exe -s %malwarefilepath%.cpp

Please enable Javascript to ensure correct displaying of this content and refresh this page.