Follow:

 

Ransom:Win32/Reveton.Y


Microsoft security software detects and removes this threat.

This threat locks your PC and displays a full-screen message, commonly called a "lock screen".

It pretends to be from the FBI or a national police force and tries to scare you into paying a fine to unlock your PC.

Typically, this threat gets on your PC when you visit a hacked webpage.

You can read more about this type on malware at the Ransom:Win32/Reveton family description or on our ransomware page.

Find out ways that malware can get on your PC.



What to do now

Microsoft doesn’t recommend you pay the fine. There is no guarantee that paying the ransom will give you access to your files.

If you've already paid, see our ransomware page for help on what to do now.

Run antivirus or antimalware software

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Advanced troubleshooting

To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

When it runs, it creates a shortcut file in the <startup folder>, so that it automatically runs every time Windows starts. This shortcut file has the following naming format:

<reverse name of Reveton.Y file name>.lnk - might be detected as Ransom:Win32/Reveton!lnk

For example, if the Reveton.Y file name is filename.dll, then the shortcut file is named emanelif.lnk.

If, for some reason, it can't create this shortcut file, it instead drops a batch file in the same folder using this naming format:

<reverse name of Reveton.Y file name>.bat

It also makes changes your system registry so that it loads with the legitimate Windows process svchost.exe:

In subkey: HKLM\SYSTEM\ControlSet001\services\Winmgmt\Parameters\
Sets value: "ServiceDll"
With data: "<Reveton.Y file name>" on 32-bit PCs and "<Ransom:Win64/Reveton file name>" on 64-bit PCs

It might also inject itself into these legitimate Windows processes to hide its actions:

  • explorer.exe
  • taskmgr.exe - hooks the function ZwQuerySystemInformation in ntdll.dll to hide its processes
  • regedit.exe - hooks the function RegQueryValueExW in advapi32.dll to hide its registry keys
  • iexplore.exe

As part of its installation process, it also creates these files:

  • <commonappdata> \<random 6-12 characters>.jss or .cpp or .dss - might also be detected as Reveton.Y
  • <reverse name of Reveton.Y file name>.reg - might be detected as Ransom:WinREG/Reveton.E
  • <reverse name of Reveton.Y file name>.bxx or .fee or .dat or .pad - might be detected as Ransom:Win32/Reveton.V

On a 64-bit operating system, it might also create this file:

Payload

Prevents you from accessing your desktop

Reveton.Y displays a full-screen window that covers all other windows, preventing you from accessing your desktop. The image is a fake warning pretending to be from a legitimate institution, and demands that you pay a ransom for to regain control of your desktop.

Paying the ransom does not necessarily return your PC to a usable state, so this is not advisable.

The images might look like these:

Downloads and runs other malware

Reveton.Y can download and run another malware, detected as PWS:Win32/Reveton.B, into your PC. This malware can steal your user names and passwords for sensitive accounts, like banking websites.

Connects to servers

Reveton.Y might connect to these IP addresses to download the other malware components and to upload information gathered by these malware components:

  • 37.139.53.204
  • 37.139.53.244
  • 46.165.220.180
  • 62.212.82.37
  • 199.115.114.209
  • 199.189.105.124
  • 204.45.15.202

Disables Windows components

Reveton.Y stops the Windows firewall. It also stops you from running Task Manager if your screen is locked.

Analysis by Stefan Sellmer


Symptoms

The following could indicate that you have this threat on your PC:

  • You can't access your desktop and instead see images similar to these:


Prevention


Alert level: Severe
First detected by definition: 1.159.1823.0
Latest detected by definition: 1.189.487.0 and higher
First detected on: Oct 09, 2013
This entry was first published on: Jan 23, 2014
This entry was updated on: Aug 25, 2014

This threat is also detected as:
No known aliases