Win32/Reveton [Threat Name] go to Threat
Win32/Reveton.A [Threat Variant Name]
| Category | trojan |
| Size | 203776 B |
| Aliases | Trojan-Dropper.Win32.Injector.btki (Kaspersky) |
| Trojan.Gen (Symantec) |
Short description
Win32/Reveton.A is a trojan that blocks access to the Windows operating system. To regain access to the operating system the user is asked to fill in sensitive information. The trojan is usually a part of other malware. The file is run-time compressed using UPX .
Installation
The trojan does not create any copies of itself.
The trojan executes the following files:
- notepad.exe
- iexplore.exe
- rundll32.exe
The trojan creates and runs a new thread with its own program code within the following processes:
- notepad.exe
- iexplore.exe
- rundll32.exe
In order to be executed on every system start, the trojan creates the following file:
- %startup%\%malwarefilename%.lnk
The file is a shortcut to a malicious file.
The following Registry entries are set:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
- "DisableTaskMgr" = 1
- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
- "NoProtectedModeBanner" = 1
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
- "1609" = 0
- "2500" = 3
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
- "1609" = 0
- "2500" = 3
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
- "1609" = 0
- "2500" = 3
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
- "1609" = 0
- "2500" = 3
Payload information
The Win32/Reveton.A can block access to operating system.
The trojan displays the following fake dialog boxes:
To regain access to the operating system the user is asked to fill in sensitive information.
Other information
The following programs are terminated:
- taskmgr.exe
The trojan contains an URL address. It tries to download a file from the address.
The downloaded files contain encrypted executables. The files are then executed.
The trojan opens the following URLs in Internet Explorer :
- http://77.%removed%.%removed%.124/