Follow:

You have been re-routed to the Ransom:Win32/Reveton write up because Trojan:Win32/Reveton has been renamed to Ransom:Win32/Reveton
 

Ransom:Win32/Reveton


Microsoft security software detects and removes this threat.

This threat locks your PC and displays a full-screen message, commonly called a "lock screen".

It pretends to be from the FBI or a national police force and tries to scare you into paying a fine to unlock your PC.

See the Technical information tab for examples of the lock screen.

Typically, this threat gets on your PC when you visit a hacked webpage.

You can read more about this type on malware at the Ransom:Win32/Reveton family description or on our ransomware page.

Find out ways that malware can get on your PC.



What to do now

Microsoft doesn’t recommend you pay the fine. There is no guarantee that paying the ransom will give you access to your files.

If you've already paid, see our ransomware page for help on what to do now.

Run antivirus or antimalware software

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Advanced troubleshooting

To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

When run, some variants of Ransom:Win32/Reveton copy themselves to your PC using the following naming scheme:

%ALLUSERPROFILE%\Application Data\<reverse string of the filename>.<reverse string of extension name>

For example, if the original file name is malware.dll, the copy's name is erawlam.lld.

Other variants copy themselves to the above location using random file names with the extension .plz or .dat, for example %ALLUSERPROFILE%\Application Data\6j1fqm4L.plz.

Certain variants make the following changes to the registry so that the threat runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Task Scheduler"
With data: "%ALLUSERPROFILE%\Application Data\task scheduler\task scheduler.exe"

In subkey: HKLM\System\ControlSet001\services\Winmgmt\Parameters
Sets value: "ServiceDll"
With data: "%ALLUSERPROFILE%\Application Data\<random>.plz"

These registry entries might be created by a registry file that Reveton drops onto your PC in the %ALLUSERPROFILE%\Application Datafolder using a file name that is usually the same as the copied component, but with a .reg extension, for example:

%ALLUSERPROFILE%\Application Data\6j1fqm4l.reg

This file might be detected as a Ransom:WinREG/Reveton variant, like Ransom:WinREG/Reveton.B.

Some Reveton variants might also add their dropped copy to the Data Execution Prevention (DEP) exception list, which lets it to bypass checks in Windows so that it can run, by making the following registry modification:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Sets value: "%ALLUSERPROFILE%\Application Data\task scheduler\Task Scheduler.exe"
With data: "disablenxshowui"

Some variants of Ransom:Win32/Reveton create the following shortcut file in the Windows <startup folder> to ensure the threat loads every time you log on; this threat has used the following names:

  • ctfmon.lnk
  • task scheduler.lnk
  • runctf.lnk
  • regmonstd.lnk

Variants like Ransom:Win32/Reveton.X create the shortcut using a random file name consistent of letters and digits, for example jw2gf7j6.lnk. This file is detected as Ransom:Win32/Reveton!lnk.

Manually clicking the shortcut will also run the threat.

Some Ransom:Win32/Reveton variants might also drop a copy of rundll32.exe in the %USERPROFILE%\application data folder with the file name lsass.exe. This file is then used to launch the threat, for example:

lsass.exe <folder path>\<malware file name>.dll, GOF1

Other variants, like Ransom:Win32/Reveton.X, launch the threat using the original rundll32.exe file located in your PC's <system folder>.

In some older variants of Ransom:Win32/Reveton, the threat creates a shortcut file with the file name <random file name>.dll.lnk.

Distribution

Typically, Ransom:Win32/Reveton is installed on a PC as a result of a drive-by download attack, for example, by an exploit pack, or you might encounter it if you visit a hacked page.

We have observed, for instance, other malware, like Exploit:Win32/Pdfjsc.ADY and Exploit:Win32/Pdfjsc.ADQ, which can be distributed via the Blacoleexploit pack, download Ransom:Win32/Reveton onto hacked PCs.

Payload

Prevents you from using your PC

As part of its payload, Ransom:Win32/Reveton displays a full-screen webpage that covers all other windows, rendering your PC unusable. The image is a fake warning pretending to be from a legitimate institution which demands the payment of a fine.

Paying the "fine" will not necessarily return your PC to a usable state.

Some examples of localized images that variants of Ransom:Win32/Reveton might display are reproduced here.

An image pretending to be from the USDepartment of Homeland Security:

An image pretending to be from the Department of Justice, USA:

An image pretending to be from New Scotland Yard, Metropolitan Police and Strathclyde Police:

An image pretending to be from the Bundespolizei, or German Federal Police, National Cyber Crimes Unit:

Images pretending to be from the Federal Bureau of Investigation, or FBI:

An image pretending to be from the PC Crime & Intellectual Property Section of the United States Department of Justice:

An image pretending to be from the Cuerpro Nacional De Policia, or National Police Corps of Spain:

An image pretending to be from the Guardia di Finanza, or Italian Financial Guard:

Downloads and runs other malware components

Ransom:Win32/Reveton can download and run customized DLL payloads, like the following:

  • Lock.dll , which the threat injects into browser process, including the following, to display the fraudulent message:
    • chrome.exe
    • firefox.exe
    • iexplore.exe
    • opera.exe
  • FileMem.dll , which is an encrypted file that might do different payloads, including information-stealing routines, and might be detected as PWS:Win32/Reveton

Reveton can also download a DLL file that it stores in a container file with a random name and a .pad or .pff extension, for example e8al.pad androdolcdod.pff.

It puts this file in the %ALLUSERPROFILE%\Application Data or %TEMP% folders. This DLL is used to display the lock screen message and might be detected as Ransom:Win32/Reveton.U or Ransom:Win32/Reveton.V.

It might load these files into memory, rather than downloading them to a specific location on your PC.

In the wild, we have observed variants of Ransom:Win32/Reveton downloading these DLL files, images, and other bundled malware from the following IP addresses, using port 80 or 443:

  • 146.185.218.52
  • 146.185.255.194
  • 195.191.56.194
  • 195.208.185.33
  • 213.152.172.101
  • 58.107.26.174
  • 82.192.88.13
  • 85.143.166.132
  • 85.143.166.136
  • whatwillber.com
  • willber.com

Changes Internet browser settings

Some variants of Ransom:Win32/Reveton might change Internet Explorer settings by making a number of registry changes.

Disable Internet Explorer security warnings:

In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: "NoProtectedModeBanner"
With data: "1"

Lock the Internet Explorer toolbar:

In subkey: HKCU\Software\Microsoft\Internet Explorer\Toolbar
Sets value: "Locked"
With data: "1"

Lower Internet zone security settings:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
Sets value: "1609"
With data: "0"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Sets value: "1609"
With data: "0"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Sets value: "1609"
With data: "0"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: "1609"
With data: "0"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Sets value: "1609"
With data: "0"

Changes PC settings

Some variants might disable Task Manager by making the following registry change:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableTaskMgr"
With data: "1"

Some Reveton variants can also hide icons from appearing on your desktop by making the following registry change:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "HideIcons"
With data: "1"

Ends processes

To prevent you from ending the malware process, some variants of Ransom:Win32/Reveton might end the process taskmgr.exe as soon as it is run.

Additional information

The origin of the name Reveton was taken from the first variant (Ransom:Win32/Reveton.A) that contains the string "NOTEVER". It is the reversed string for "REVETON".

We have observed Ransom:Win32/Reveton using a variety of legitimate payment and financial transfer services, including the following:

These providers are not affiliated with Ransom:Win32/Reveton.

If you believe you are a victim of fraud involving one of these services, you should contact them, along with your local authorities.

Related encyclopedia entries

Ransom:Win32/Reveton!lnk

PWS:Win32/Reveton

Analysis by Amir Fouda and Edgardo Diaz


Symptoms

The following could indicate that you have this threat on your PC:
  • You have files such as these:

    <startup folder>\ctfmon.lnk
    <startup folder>
    \task scheduler.lnk
    <startup folder>
    \runctf.lnk
    <startup folder>\<random file name>.dll.lnk
    Lock.dll
    FileMem.dll


  • You see these entries or keys in your registry:

    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
    Value: "%ALLUSERPROFILE%\Application Data\task scheduler\Task Scheduler.exe"
    With data: "disablenxshowui"

    In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
    Value: "NoProtectedModeBanner"
    With data: "1"

    In subkey: HKCU\Software\Microsoft\Internet Explorer\Toolbar
    Value: "Locked"
    With data: "1"

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    Value: "1609"
    With data: "0"

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    Value: "1609"
    With data: "0"

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    Value: "1609"
    With data: "0"

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
    Value: "1609"
    With data: "0"

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    Value: "1609"
    With data: "0"

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
    Value: "DisableTaskMgr"
    With data: "1"

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    Value: "HideIcons"
    With data: "1"

  • When you turn your PC on, you see images telling you to pay a "fine" similar to those shown in above

Prevention


Alert level: Severe
First detected by definition: 1.137.1924.0
Latest detected by definition: 1.183.1360.0 and higher
First detected on: Oct 16, 2012
This entry was first published on: Aug 30, 2012
This entry was updated on: Aug 25, 2014

This threat is also detected as:
  • FBI moneypak (other)
  • Lockscreen (other)
  • FBI virus (other)