Home Malware Programs Ransomware Reveton


Posted: August 14, 2012

Reveton Screenshot 1Reveton is a ransomware Trojan that hijacks your browser to display a fake legal alert while Reveton also locks down your computer. Because Reveton's pop-up alerts often use country-specific references to various legal agencies, Reveton may appear legitimate at first glance, but Reveton simply is a way for criminals to milk money out of PC users by accusing them of random crimes. Standard pop-up alerts from Reveton are recognizable members of the widespread 'Ukash Virus' family, which SpywareRemove.com malware experts have noted are especially common in Europe, although other countries overseas have also been affected by Reveton attacks. Due to its automatic startup and system-locking behavior, Reveton must be disabled before you can access anti-malware programs that could remove Reveton, although deactivating Reveton isn't necessarily as difficult as one would assume (as noted further in this article).

Don't Be Intimidated by Reveton's Crooked Cops

Once Reveton is launched, Reveton can be noticed by the pop-up window that Reveton generates to cover your desktop, including the Windows taskbar. This makes it impossible for you to access shortcuts, as well as the overall Windows interface, while Reveton is open, and attempts to navigate through Reveton's pop-up window will also fail (the pop-up is an image with the URL bar disabled).

The exact image that Reveton displays in this Window will change with the IP address of your PC as Reveton attempts to find a match for your country of origin. Examples of pop-up variants that SpywareRemove.com malware researchers have noticed from Reveton include:

Besides displaying basic law enforcement-related imagery and your IP address, Reveton's pop-ups will claim that your PC is involved in illegal file-trafficking or media-viewing activities. This excuse gives Reveton a semi-plausible reason for blocking access to your computer, although SpywareRemove.com malware researchers emphasize that Reveton is unaffiliated with any form of real law enforcement.

Where Reveton's Fake Warnings Ultimately Lead

Reveton's warning messages are used strictly to frighten you into transferring a 'fee' through Ukash, Paysafecard or similar financial services. Since the fees and other legal penalties that Reveton levies against you are completely fraudulent, SpywareRemove.com malware analysts can never recommend any course of action other than finding a way to delete Reveton with all your money intact.

Removing Reveton will require that you disable Reveton's startup exploit, which is viable through a Safe Mode boot or, in extreme cases, booting your OS from a USB drive. Competent anti-malware products should experience no real difficulty in deleting Reveton once Reveton has been prevented from launching in the first place.
Reveton Screenshot 2

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

C:\WINDOWS\System32\svchost.exe -k netsvcs File name: C:\WINDOWS\System32\svchost.exe -k netsvcs
Mime Type: unknown/exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe File name: C:\WINDOWS\system32\spoolsv.exe
File type: Executable File
Mime Type: unknown/exe
%AppData%\Trojan:Win32/Reveton.A File name: %AppData%\Trojan:Win32/Reveton.A
Mime Type: unknown/A
%startup%\¬%malwarefilename%.lnk File name: %startup%\¬%malwarefilename%.lnk
File type: Shortcut
Mime Type: unknown/lnk
%USERPROFILE%\Start Menu\Programs\Startup\<reveton_filename>.dll.lnk File name: %USERPROFILE%\Start Menu\Programs\Startup\<reveton_filename>.dll.lnk
File type: Shortcut
Mime Type: unknown/lnk
%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\<reveton_filename>dll.lnk File name: %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\<reveton_filename>dll.lnk
File type: Shortcut
Mime Type: unknown/lnk

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\{Value}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon: 'Userinit' = '\userinit.exe, %Documents and Settings%\[UserName]\Application Data\temp_sys.exe'HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\¬Software\¬Microsoft\¬Windows\¬CurrentVersion\¬Internet Settings\-Zones\¬0HKEY_CURRENT_USER\¬Software\¬Microsoft\¬Internet Explorer\¬MainHKEY_CURRENT_USER\¬Software\¬Microsoft\¬Windows\¬CurrentVersion\¬Policies\¬SystemHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win32\Trojan:Win32/Reveton.A

Related Posts