Ransom:Win32/Reveton.P is usually installed as a result of a drive-by download attack, for example, by an exploit pack. Once the trojan is run on a vulnerable PC, it creates a Windows shortcut file (.LNK), so that it runs when you start Windows:
- which might be detected as Ransom:Win32/Reveton!lnk
As part of its installation process, it also creates the following files:
where <random> is a string inversion from the original file name the DLL is stored under.
Prevents you from accessing your desktop
As part of its payload, Ransom:Win32/Reveton.P displays a full-screen webpage that covers all other windows, rendering the PC unusable. The image is a fake warning pretending to be from a legitimate institution which demands the payment of a fine.
Paying the "fine" will not necessarily return your PC to a usable state, so this is not advisable.
You can see some examples of other Win32/Reveton lock screens in the family description.
Tries to bypass firewalls
Ransom:Win32/Reveton.P injects code into various processes, including the following, to try and bypass firewalls:
Bypassing firewalls might let it to do any number of actions on your PC, including, but not limited to, downloading and uploading files.
The threat contacts servers to download the webpage it uses as a lock screen. It can also download other components from these servers:
This threat prevents you from running Task Manager on your PC.
Analysis by Daniel Radu