is a ransomware that targets users from certain countries, similar to Trojan:Win32/Ransom.FL. Trojan:Win32/Reveton.A locks the computer and, depending on your location, displays a localized webpage that covers the entire desktop and demands payment for the supposed possession of illicit material.
arrives as a DLL file with a random name. It creates a shortcut file to itself in the Windows startup folder; the shortcut file name is the same name as the DLL file but with the LNK extension.
When Windows starts, it runs the command associated with the shortcut, as follows:
rundll32.exe <path>\<file name>.dll, <random exported name>
Prevents you from accessing the desktop
When run, Trojan:Win32/Reveton.A displays a full-screen webpage that covers all other windows, rendering your PC effectively unusable. The image is a fake warning pretending to be from a legitimate institution. It demands the payment of a supposed fine. However, even if you pay, your PC is still left unusable.
The images might look like the following:
Downloads and runs other malware
downloads and runs other malware, detected as PWS:Win32/Reveton.A.
Connects to remote servers
has been seen to download images and other bundled malware from the following IP addresses:
Analysis by Sergey Chernyshev
The following could indicate that you have this threat on your PC:
- You see images similar to the following: