Win32/Reveton [Threat Name] go to Threat
Win32/Reveton.U [Threat Variant Name]
Category | trojan |
Aliases | Trojan-Ransom.Win32.Foreign.gihu (Kaspersky) |
Trojan:Win32/Reveton (Microsoft) |
Short description
Win32/Reveton.U is a trojan that blocks access to the Windows operating system. To regain access to the operating system the user is asked to send information/certain amount of money via the Paysafecard, Ukash payment service. The trojan is probably a part of other malware.
Installation
When executed, the trojan copies itself into the following location:
- %temp%\%variable1%.bfg
The trojan creates the following file:
- %startup%\%variable3%.lnk
This causes the trojan to be executed on every application start.
The trojan may create the following files:
- %temp%\78657465w3ert.txt
- %temp%\%variable2%.js
- %temp%\%variable2%.pad
A string with variable content is used instead of %variable1-3% .
The trojan executes the following files:
- iexplore.exe
- setup_wm.exe
- rundll32.exe
The trojan can create and run a new thread with its own program code within the following processes:
- iexplore.exe
- setup_wm.exe
- rundll32.exe
The trojan may set the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
- "NoProtectedModeBanner" = 1
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
- "1609" = 1
- "2500" = 3
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
- "1609" = 1
- "2500" = 3
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
- "1609" = 1
- "2500" = 3
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
- "1609" = 1
- "2500" = 3
Payload information
The Win32/Reveton.U can block access to operating system.
The trojan may display the following dialog windows: