Win32/Reveton [Threat Name] go to Threat

Win32/Reveton.U [Threat Variant Name]

Category trojan
Aliases Trojan-Ransom.Win32.Foreign.gihu (Kaspersky)
  Trojan:Win32/Reveton (Microsoft)
Short description

Win32/Reveton.U is a trojan that blocks access to the Windows operating system. To regain access to the operating system the user is asked to send information/certain amount of money via the Paysafecard, Ukash payment service. The trojan is probably a part of other malware.

Installation

When executed, the trojan copies itself into the following location:

  • %temp%\­%variable1%.bfg

The trojan creates the following file:

  • %startup%\­%variable3%.lnk

This causes the trojan to be executed on every application start.


The trojan may create the following files:

  • %temp%\­78657465w3ert.txt
  • %temp%\­%variable2%.js
  • %temp%\­%variable2%.pad

A string with variable content is used instead of %variable1-3% .


The trojan executes the following files:

  • iexplore.exe
  • setup_wm.exe
  • rundll32.exe

The trojan can create and run a new thread with its own program code within the following processes:

  • iexplore.exe
  • setup_wm.exe
  • rundll32.exe

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "NoProtectedModeBanner" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­0]
    • "1609" = 1
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­1]
    • "1609" = 1
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­2]
    • "1609" = 1
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "1609" = 1
    • "2500" = 3
Payload information

The Win32/Reveton.U can block access to operating system.


The trojan may display the following dialog windows: