When run, some variants of Ransom:Win32/Reveton copy themselves to your PC using the following naming scheme:
%ALLUSERPROFILE%\Application Data\<reverse string of the filename>.<reverse string of extension name>
For example, if the original file name is malware.dll, the copy's name is erawlam.lld.
Other variants copy themselves to the above location using random file names with the extension .plz or .dat, for example %ALLUSERPROFILE%\Application Data\6j1fqm4L.plz.
Certain variants make the following changes to the registry so that the threat runs each time you start your PC:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Task Scheduler"
With data: "%ALLUSERPROFILE%\Application Data\task scheduler\task scheduler.exe"
In subkey: HKLM\System\ControlSet001\services\Winmgmt\Parameters
Sets value: "ServiceDll"
With data: "%ALLUSERPROFILE%\Application Data\<random>.plz"
These registry entries might be created by a registry file that Reveton drops onto your PC in the %ALLUSERPROFILE%\Application Datafolder using a file name that is usually the same as the copied component, but with a .reg extension, for example:
This file might be detected as a Ransom:WinREG/Reveton variant, like Ransom:WinREG/Reveton.B.
Some Reveton variants might also add their dropped copy to the Data Execution Prevention (DEP) exception list, which lets it to bypass checks in Windows so that it can run, by making the following registry modification:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Sets value: "%ALLUSERPROFILE%\Application Data\task scheduler\Task Scheduler.exe"
With data: "disablenxshowui"
Some variants of Ransom:Win32/Reveton create the following shortcut file in the Windows <startup folder> to ensure the threat loads every time you log on; this threat has used the following names:
Variants like Ransom:Win32/Reveton.X create the shortcut using a random file name consistent of letters and digits, for example jw2gf7j6.lnk. This file is detected as Ransom:Win32/Reveton!lnk.
Manually clicking the shortcut will also run the threat.
Some Ransom:Win32/Reveton variants might also drop a copy of rundll32.exe in the %USERPROFILE%\application data folder with the file name lsass.exe. This file is then used to launch the threat, for example:
<folder path>\<malware file name>.dll, GOF1
Other variants, like Ransom:Win32/Reveton.X, launch the threat using the original rundll32.exe file located in your PC's <system folder>.
In some older variants of Ransom:Win32/Reveton, the threat creates a shortcut file with the file name <random file name>.dll.lnk.
Typically, Ransom:Win32/Reveton is installed on a PC as a result of a drive-by download attack, for example, by an exploit pack, or you might encounter it if you visit a hacked page.
We have observed, for instance, other malware, like Exploit:Win32/Pdfjsc.ADY and Exploit:Win32/Pdfjsc.ADQ, which can be distributed via the Blacoleexploit pack, download Ransom:Win32/Reveton onto hacked PCs.
Prevents you from using your PC
As part of its payload, Ransom:Win32/Reveton displays a full-screen webpage that covers all other windows, rendering your PC unusable. The image is a fake warning pretending to be from a legitimate institution which demands the payment of a fine.
Paying the "fine" will not necessarily return your PC to a usable state.
Some examples of localized images that variants of Ransom:Win32/Reveton might display are reproduced here.
An image pretending to be from the USDepartment of Homeland Security:
An image pretending to be from the Department of Justice, USA: