Reveton
Reveton is a ransomware Trojan that hijacks your browser to display a fake legal alert while Reveton also locks down your computer. Because Reveton's pop-up alerts often use country-specific references to various legal agencies, Reveton may appear legitimate at first glance, but Reveton simply is a way for criminals to milk money out of PC users by accusing them of random crimes. Standard pop-up alerts from Reveton are recognizable members of the widespread 'Ukash Virus' family, which SpywareRemove.com malware experts have noted are especially common in Europe, although other countries overseas have also been affected by Reveton attacks. Due to its automatic startup and system-locking behavior, Reveton must be disabled before you can access anti-malware programs that could remove Reveton, although deactivating Reveton isn't necessarily as difficult as one would assume (as noted further in this article).
Don't Be Intimidated by Reveton's Crooked Cops
Once Reveton is launched, Reveton can be noticed by the pop-up window that Reveton generates to cover your desktop, including the Windows taskbar. This makes it impossible for you to access shortcuts, as well as the overall Windows interface, while Reveton is open, and attempts to navigate through Reveton's pop-up window will also fail (the pop-up is an image with the URL bar disabled).
The exact image that Reveton displays in this Window will change with the IP address of your PC as Reveton attempts to find a match for your country of origin. Examples of pop-up variants that SpywareRemove.com malware researchers have noticed from Reveton include:
- Guardia di Finanza Ransomware, from Italy.
- The Scotland Yards Ukash Virus from the United Kingdom.
- Bundespolizei National Cyber Crimes Unit Ransomware from Germany.
- Cuerpo Nacional de Policia Virus from Spain.
- Polícia de Segurança Pública Portuguese Virus from Portugal.
- Poliisi Tietoverkkorikos Tutkinnan Yksikkö Ransomware from Finland.
Besides displaying basic law enforcement-related imagery and your IP address, Reveton's pop-ups will claim that your PC is involved in illegal file-trafficking or media-viewing activities. This excuse gives Reveton a semi-plausible reason for blocking access to your computer, although SpywareRemove.com malware researchers emphasize that Reveton is unaffiliated with any form of real law enforcement.
Where Reveton's Fake Warnings Ultimately Lead
Reveton's warning messages are used strictly to frighten you into transferring a 'fee' through Ukash, Paysafecard or similar financial services. Since the fees and other legal penalties that Reveton levies against you are completely fraudulent, SpywareRemove.com malware analysts can never recommend any course of action other than finding a way to delete Reveton with all your money intact.
Removing Reveton will require that you disable Reveton's startup exploit, which is viable through a Safe Mode boot or, in extreme cases, booting your OS from a USB drive. Competent anti-malware products should experience no real difficulty in deleting Reveton once Reveton has been prevented from launching in the first place.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:C:\WINDOWS\System32\svchost.exe -k netsvcs
File name: C:\WINDOWS\System32\svchost.exe -k netsvcsMime Type: unknown/exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
File name: C:\WINDOWS\system32\spoolsv.exeFile type: Executable File
Mime Type: unknown/exe
%AppData%\Trojan:Win32/Reveton.A
File name: %AppData%\Trojan:Win32/Reveton.AMime Type: unknown/A
%startup%\¬%malwarefilename%.lnk
File name: %startup%\¬%malwarefilename%.lnkFile type: Shortcut
Mime Type: unknown/lnk
%USERPROFILE%\Start Menu\Programs\Startup\<reveton_filename>.dll.lnk
File name: %USERPROFILE%\Start Menu\Programs\Startup\<reveton_filename>.dll.lnkFile type: Shortcut
Mime Type: unknown/lnk
%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\<reveton_filename>dll.lnk
File name: %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\<reveton_filename>dll.lnkFile type: Shortcut
Mime Type: unknown/lnk
Registry Modifications
HKEY..\..\{Value}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon: 'Userinit' = '\userinit.exe, %Documents and Settings%\[UserName]\Application Data\temp_sys.exe'HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\¬Software\¬Microsoft\¬Windows\¬CurrentVersion\¬Internet Settings\-Zones\¬0HKEY_CURRENT_USER\¬Software\¬Microsoft\¬Internet Explorer\¬MainHKEY_CURRENT_USER\¬Software\¬Microsoft\¬Windows\¬CurrentVersion\¬Policies\¬SystemHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win32\Trojan:Win32/Reveton.A
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.