Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Reveton.A.432
Date discovered:15/03/2012
Type:Trojan
In the wild:No
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Low
File size:213.016 Bytes
MD5 checksum:f91cc13a0D484e3b9ce1d244edb52035
VDF version:7.11.25.106 - Thursday, March 15, 2012
IVDF version:7.11.25.106 - Thursday, March 15, 2012

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: Generic.evx!bu
   •  Kaspersky: HEUR:Trojan.Win32.Generic
   •  Bitdefender: Trojan.Reveton.E
   •  Microsoft: Trojan:Win32/Reveton.A
   •  Grisoft: Generic27.ATPP
   •  Eset: a variant of Win32/Kryptik.ACQF trojan
   •  GData: Trojan.Reveton.E
   •  DrWeb: Trojan.Siggen3.52657


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Can be used to modify system settings that allow or augment potential malware behaviour.
   • Downloads a file
   • Records keystrokes
   • Registry modification

 Files The following file is created:

– Non malicious file:
   • %HOMEPATH%\Start Menu\Programs\Startup\sample.exe.lnk

 Registry The following registry keys are added in order to load the services after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\0]
   • "2500"=dword:00000003

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\1]
   • "2500"=dword:00000003

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\2]
   • "2500"=dword:00000003

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\3]
   • "2500"=dword:00000003

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\4]
   • "2500"=dword:00000003

– [HKCU\Software\Microsoft\Internet Explorer\Main]
   • "NoProtectedModeBanner"=dword:00000001



The following registry key is added:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   • "DisableTaskMgr"=dword:00000001



The following registry keys are changed:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\0]
   Old value:
   • "1609"=dword:00000001
   New value:
   • "1609"=dword:00000000

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\1]
   Old value:
   • "1609"=dword:00000001
   New value:
   • "1609"=dword:00000000

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\2]
   Old value:
   • "1609"=dword:00000001
   New value:
   • "1609"=dword:00000000

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\3]
   Old value:
   • "1609"=dword:00000001
   New value:
   • "1609"=dword:00000000

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\4]
   Old value:
   • "1609"=dword:00000001
   New value:
   • "1609"=dword:00000000

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS server is contacted:
   • http://91.217.**********.**********/**********.rar


Event handler:
It creates the following Event handlers:
   • StartMenuForceRefresh
   • ImageList_ReplaceIcon
   • WaitForSingleObject
   • DisableShowAtLogon
   • StartupHasBeenRun
   • GetAsyncKeyState
   • TrackMouseEvent
   • TaskbarCreated

Description inserted by Wensin Lee on Friday, March 16, 2012
Description updated by Wensin Lee on Monday, March 19, 2012

Back . . . .