Follow:

You have been re-routed to the Ransom:Win32/Reveton.F write up because Trojan%3aWin32%2fReveton.F has been renamed to Ransom:Win32/Reveton.F
 

Ransom:Win32/Reveton.F


Microsoft security software detects and removes this threat.

Ransom:Win32/Reveton.F is a member of the Reveton family of ransomware programs that targets users from certain countries. The threat locks your PC and displays a localized webpage that covers your desktop, and demands the payment of a fine for the supposed possession of illicit material.

Find out ways that malware can get on your PC.



What to do now

Microsoft doesn’t recommend you pay the fine. There is no guarantee that paying the ransom will give you access to your files.

If you've already paid, see our ransomware page for help on what to do now.

Run antivirus or antimalware software

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Advanced troubleshooting

To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.

You can also ask for help from other PC users at the Microsoft virus and malware community.

If you’re using Windows XP, see our Windows XP end of support page.

Additional remediation instructions for this threat

This threat might make lasting changes to your PC's settings that won't be restored when it's cleaned. The following links can help change these settings back to what you want:

Threat behavior

Installation

Ransom:Win32/Reveton.F is usually installed as a result of a drive-by download attack.

It creates a shortcut file in the Windows startup folder to make sure it runs every time you log on:

%USERPROFILE% \Start Menu\Programs\StartUp\ctfmon.lnk - might be detected as Ransom:Win32/Reveton!lnk

It injects code into various processes, including the following browser processes, possibly to avoid detection and bypass your firewall:

  • chrome.exe
  • firefox.exe
  • iexplore.exe
  • opera.exe
Payload

Prevents you from accessing the desktop

Ransom:Win32/Reveton.F displays a full-screen webpage that covers all other windows, rendering the PC unusable. The image might be a fake warning pretending to be about the Digital Millenium Copyright Act, demanding payment of a "fine".

Paying the "fine" will not necessarily return your PC to a usable state, so this is not advisable.

The image might look like these:

Changes browser settings

Reveton.F changes Internet Explorer settings by making a number of registry modifications; for example, it might:

  • Lower Internet Explorer security settings
  • Lower Internet zones security settings:

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    Sets value: "1609"
    With data: "0"

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    Sets value: "1609"
    With data: "0"

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    Sets value: "1609"
    With data: "0"

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
    Sets value: "1609"
    With data: "0"

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    Sets value: "1609"
    With data: "0"
  • Disable Internet Explorer security warnings:

    In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
    Sets value: "NoProtectedModeBanner"
    With data: "1"

    In subkey: HKCU\Software\Microsoft\Internet Explorer\Toolbar
    Sets value: "Locked"
    With data: "1"

Contacts servers

Ransom:Win32/Reveton.F contacts servers to download the image it displays to cover your desktop, and to download other malware components.

It tries to contact up to three of these servers every 55 seconds:

  • 146.185.218.52
  • 146.185.255.194
  • 194.50.116.25
  • 195.191.56.194
  • 208.91.197.193
  • 82.192.88.13
  • whatwillber.com

Stops processes

If you try to run Task Manager, this threat might prevent it from starting.

Additional information

Depending on the server response, Ransom:Win32/Reveton.F can download and run customized .DLL payloads, like Lock.dll and FileMem.dll.

Lock.dll displays the fraudulent message similar to those shown in the images above.

FileMem.dll is an additional threat component, which is downloaded and run by Ransom:Win32/Reveton.F right after loading Lock.dll. This component might do different payloads, for example, steal personal information from your PC.

Analysis by Sergey Chernyshev


Symptoms

The following could indicate that you have this threat on your PC:

  • Your desktop is covered by something that looks like this or any of the other screens in the Technical information section above:

Prevention


Alert level: Severe
First detected by definition: 1.129.1173.0
Latest detected by definition: 1.175.206.0 and higher
First detected on: Jul 07, 2012
This entry was first published on: Jul 07, 2012
This entry was updated on: Jun 17, 2014

This threat is also detected as:
No known aliases