When it runs, it creates a shortcut file in the <startup folder>, so that it automatically runs every time Windows starts. This shortcut file has the following naming format:
<reverse name of Reveton.Y file name>.lnk - might be detected as Ransom:Win32/Reveton!lnk
For example, if the Reveton.Y file name is filename.dll, then the shortcut file is named emanelif.lnk.
If, for some reason, it can't create this shortcut file, it instead drops a batch file in the same folder using this naming format:
<reverse name of Reveton.Y file name>.bat
It also makes changes your system registry so that it loads with the legitimate Windows process svchost.exe:
In subkey: HKLM\SYSTEM\ControlSet001\services\Winmgmt\Parameters\
Sets value: "ServiceDll"
With data: "<Reveton.Y file name>" on 32-bit PCs and "<Ransom:Win64/Reveton file name>" on 64-bit PCs
It might also inject itself into these legitimate Windows processes to hide its actions:
taskmgr.exe - hooks the function ZwQuerySystemInformation in ntdll.dll to hide its processes
regedit.exe - hooks the function RegQueryValueExW in advapi32.dll to hide its registry keys
As part of its installation process, it also creates these files:
\<random 6-12 characters>.jss or .cpp or .dss - might also be detected as Reveton.Y
- <reverse name of Reveton.Y file name>.reg - might be detected as Ransom:WinREG/Reveton.E
- <reverse name of Reveton.Y file name>.bxx or .fee or .dat or .pad - might be detected as Ransom:Win32/Reveton.V
On a 64-bit operating system, it might also create this file:
Prevents you from accessing your desktop
Reveton.Y displays a full-screen window that covers all other windows, preventing you from accessing your desktop. The image is a fake warning pretending to be from a legitimate institution, and demands that you pay a ransom for to regain control of your desktop.
Paying the ransom does not necessarily return your PC to a usable state, so this is not advisable.
The images might look like these:
Downloads and runs other malware
Reveton.Y can download and run another malware, detected as PWS:Win32/Reveton.B, into your PC. This malware can steal your user names and passwords for sensitive accounts, like banking websites.
Connects to servers
Reveton.Y might connect to these IP addresses to download the other malware components and to upload information gathered by these malware components:
Disables Windows components
Reveton.Y stops the Windows firewall. It also stops you from running Task Manager if your screen is locked.
Analysis by Stefan Sellmer