When it runs, it creates a shortcut file in the <startup folder>, so that it automatically runs every time Windows starts. This shortcut file has the following naming format:
<reverse name of Reveton.Y file name>.lnk - might be detected as Ransom:Win32/Reveton!lnk
For example, if the Reveton.Y file name is filename.dll, then the shortcut file is named emanelif.lnk.
If, for some reason, it can't create this shortcut file, it instead drops a batch file in the same folder using this naming format:
<reverse name of Reveton.Y file name>.bat
It also makes changes your system registry so that it loads with the legitimate Windows process svchost.exe:
In subkey: HKLM\SYSTEM\ControlSet001\services\Winmgmt\Parameters\
Sets value: "ServiceDll"
With data: "<Reveton.Y file name>" on 32-bit PCs and "<Ransom:Win64/Reveton file name>" on 64-bit PCs
It might also inject itself into these legitimate Windows processes to hide its actions:
taskmgr.exe - hooks the function ZwQuerySystemInformation in ntdll.dll to hide its processes
regedit.exe - hooks the function RegQueryValueExW in advapi32.dll to hide its registry keys
As part of its installation process, it also creates these files:
\<random 6-12 characters>.jss or .cpp or .dss - might also be detected as Reveton.Y
- <reverse name of Reveton.Y file name>.reg - might be detected as Ransom:WinREG/Reveton.E
- <reverse name of Reveton.Y file name>.bxx or .fee or .dat or .pad - might be detected as Ransom:Win32/Reveton.V
On a 64-bit operating system, it might also create this file:
Prevents you from accessing your desktop
Reveton.Y displays a full-screen window that covers all other windows, preventing you from accessing your desktop. The image is a fake warning pretending to be from a legitimate institution, and demands that you pay a ransom for to regain control of your desktop.
Paying the ransom does not necessarily return your PC to a usable state, so this is not advisable.
The images might look like these: