Follow:

You have been re-routed to the Ransom:Win32/Reveton.P write up because Trojan%3aWin32%2fReveton.P has been renamed to Ransom:Win32/Reveton.P
 

Ransom:Win32/Reveton.P


Microsoft security software detects and removes this threat.

Ransom:Win32/Reveton.P is a ransomware trojan that targets users from certain countries. It locks your PC and displays a localized webpage that demands the payment of a fine for the supposed violation of a law.

Find out ways that malware can get on your PC.



What to do now

Microsoft doesn’t recommend you pay the fine. There is no guarantee that paying the ransom will give you access to your files.

If you've already paid, see our ransomware page for help on what to do now.

Run antivirus or antimalware software

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Advanced troubleshooting

To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.

You can also ask for help from other PC users at the Microsoft virus and malware community.

If you’re using Windows XP, see our Windows XP end of support page.

Additional remediation instructions for this threat

This threat might make lasting changes to your PC's settings that won't be restored when it's cleaned. The following steps can help change these settings back to what you want:

Threat behavior

Installation

Ransom:Win32/Reveton.P is usually installed as a result of a drive-by download attack, for example, by an exploit pack. Once the trojan is run on a vulnerable PC, it creates a Windows shortcut file (.LNK), so that it runs when you start Windows:

%USERPROFILE% \Start Menu\Programs\StartUp\runctf.lnk - which might be detected as Ransom:Win32/Reveton!lnk

As part of its installation process, it also creates the following files:

where <random> is a string inversion from the original file name the DLL is stored under.

Payload

Prevents you from accessing your desktop

As part of its payload, Ransom:Win32/Reveton.P displays a full-screen webpage that covers all other windows, rendering the PC unusable. The image is a fake warning pretending to be from a legitimate institution which demands the payment of a fine.

Paying the "fine" will not necessarily return your PC to a usable state, so this is not advisable.

You can see some examples of other Win32/Reveton lock screens in the family description.

Tries to bypass firewalls

Ransom:Win32/Reveton.P injects code into various processes, including the following, to try and bypass firewalls:

  • chrome.exe
  • firefox.exe
  • iexplore.exe
  • opera.exe

Bypassing firewalls might let it to do any number of actions on your PC, including, but not limited to, downloading and uploading files.

Contacts servers

The threat contacts servers to download the webpage it uses as a lock screen. It can also download other components from these servers:

  • 146.185.255.219
  • 31.44.184.134
  • 31.44.184.55

Stops processes

This threat prevents you from running Task Manager on your PC.

Analysis by Daniel Radu


Symptoms

Your PC might be locked with a warning pretending to be from the FBI or your national police force.


Prevention


Alert level: Severe
First detected by definition: 1.141.2981.0
Latest detected by definition: 1.175.206.0 and higher
First detected on: Jan 02, 2013
This entry was first published on: Jan 02, 2013
This entry was updated on: Jun 13, 2014

This threat is also detected as:
No known aliases