Follow:

 

PWS:Win32/Reveton.B


Microsoft security software detects and removes this threat.

Win32/Reveton is a family of ransomware that targets users from certain countries. It locks your PC and displays a localized webpage that covers your desktop and demands the payment of a fine for the supposed possession of illicit material.

PWS:Win32/Reveton.B extends the Reveton family’s functionality by stealing sensitive information and sending it to a remote attacker. It targets passwords for a number of file downloaders, remote control applications, FTP, poker, chat and e-mail clients. It can also steal passwords stored by browsers and in protected storage. It is used by Ransom:Win32/Reveton.



What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

PWS:Win32/Reveton.B gets loaded in memory on the fly by the Ransom:Win32/Reveton family.

If your security software detects a Ransom:Win32/Reveton infection, you might also be infected with PWS:Win32/Reveton.B.

Payload

Steals passwords

PWS:Win32/Reveton.B can steal passwords for file downloaders, remote control applications, FTP, poker, chat and e-mail clients. It can also steal passwords stored by browsers and in protected storage.

The stolen information is then sent to a malicious hacker using a custom-made protocol.

This trojan might steal passwords for the following:

FTP clients:

  • BitKinex
  • Bullet
  • ClassicFTP
  • CoffeeCup
  • Commander
  • CoreFTP4
  • CuteFTP
  • DOpus
  • ExpanDrive
  • FAR
  • FFFTP
  • FFFTP
  • FileZilla
  • FlashFXP
  • Fling
  • FreeFTP
  • Frigate3
  • FTP
  • FTPCommander
  • FTPControl
  • FTPExplorer
  • FTPRush
  • FTPUploader
  • LeapFTPh
  • NetDrive
  • Proof
  • SecureFX
  • SmartFTP
  • SoftX
  • Total
  • TurboFTP
  • UltraFXP
  • UltraFXP_Base
  • WebDrive
  • WebSitePublisher
  • WinSCP
  • WS_FTP

Instant messaging programs:

  • AIM
  • AIMPRO
  • Astra
  • Digsby
  • Excite
  • Faim
  • Gaim
  • Gizmo
  • GTalk
  • ICQ2003
  • ICQ99b
  • IM2
  • JAJC
  • LiveMessenger
  • Miranda
  • MSN
  • MySpace
  • Odigo
  • PalTalk
  • Pandion
  • Pidgin
  • PSI
  • QIP
  • QIPOnline
  • RQ
  • Trillian
  • Yahoo

File downloaders:

  • DMaster
  • FlashGet
  • GetRight
  • Internet Download Accelerator (IDA)

Poker clients:

  • 888Poker
  • AbsoluteCommon
  • AbsolutePoker
  • CakePoker
  • FullTiltPoker
  • PartyPoker
  • Poker
  • PokerStars
  • TitanPoker
  • UBPokerlOM

Internet browsers:

  • Chrome
  • Firefox
  • Flock
  • IE
  • Mozilla
  • Opera
  • Safari
  • SeaMonkey

Email clients:

  • Becky
  • Email
  • Eudora
  • ForteAgent
  • Gmail
  • GroupMailFree
  • IncrediMail
  • MailCommander
  • MRAt
  • Outlook
  • PocoMail
  • POPPeeper
  • Scribe
  • The_Bat
  • Thunderbird
  • VypressAuvis
  • Windows_Mail_Base
  • Windows_Mail_Live
  • Windows_Mail_Vista

Remote control programs:

  • CiscoVPN
  • PCRemoteControl
  • RDP
  • WinVNC

Windows services:

  • Passport.Net / WindowsLive credentials
  • Protected Storage
  • Remote Access Service (RAS)

Symptoms

If your security software detects a Ransom:Win32/Reveton infection, you may also be infected with PWS:Win32/Reveton.B.

Prevention


Alert level: Severe
First detected by definition: 1.149.1451.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: May 07, 2013
This entry was first published on: May 07, 2013
This entry was updated on: Jun 03, 2014

This threat is also detected as:
  • Gen:Variant.Graftor.Elzob.644 (BitDefender)
  • Mal/Banc-B (Sophos)
  • TR/Spy.Gen2 (Avira)