is a ransomware trojan that targets users from certain countries. It locks your computer and displays a localized webpage that covers your desktop and demands the payment of a fine for the supposed violation of a law.
is usually installed as a result of a drive-by download attack, for example, performed by an exploit pack. Once the trojan is executed on a vulnerable computer, it creates a Windows shortcut file (.LNK) in the following folder, so that it runs when you start Windows:
- which may be detected as Trojan:Win32/Reveton!lnk
As part of its installation process, it also creates the following files:
where <random> is a string inversion from the original file name the DLL is stored under.
Prevents you from accessing your desktop
As part of its payload, Trojan:Win32/Reveton.P displays a full-screen webpage that covers all other windows, rendering the computer unusable. The image is a fake warning pretending to be from a legitimate institution which demands the payment of a fine.
Paying the "fine" will not necessarily return your computer to a usable state, so this is not advisable.
You can see some examples of the cover pages other Trojan:Win32/Reveton variants use in the family description.
Attempts to bypass firewalls
injects code into various processes, including the following, in an effort to bypass firewalls:
Bypassing firewalls may allow it to perform any number of actions on your computer, including, but not limited to, downloading and uploading files.
Contacts remote hosts
The trojan contacts the following remote hosts to download the webpage it displays to cover your desktop, and to download other malware components:
If the trojan detects Task Manager running on your computer, it will terminate its process; it may do this to hinder detection.
Analysis by Daniel Radu