Win32/Reveton

Forum for analysis and discussion about malware.

Win32/Reveton

Postby rkhunter » Sun Jan 15, 2012 7:58 am

Interesting case.

Trojan:Win32/Reveton.A,
MD5: 34818ce171ea150b91429ac1dd6fbe49

VT

it sets ActiveDesktop, runs IE and requests FakePoliceAlert,
in result your desktop has view

Image

GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 46.38.58.47
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Sun, 15 Jan 2012 07:20:02 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.2.6-1+lenny13
Content-Encoding: gzip


GET /img/downheader.jpg HTTP/1.1
Accept: */*
Referer: hxxp://46.38.58.47/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 46.38.58.47
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Sun, 15 Jan 2012 07:20:17 GMT
Content-Type: image/jpeg
Content-Length: 60665
Last-Modified: Thu, 08 Dec 2011 22:16:50 GMT
Connection: keep-alive
Accept-Ranges: bytes
You do not have the required permissions to view the files attached to this post.
User avatar
rkhunter
 
Posts: 1145
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: Trojan Ransom / FakePoliceAlert

Postby rkhunter » Sun Jan 15, 2012 5:11 pm

Reveton.A with French ransom feature

MD5: 12b9e1d71739eb99bb02be37887f5cce

13/41

Image

IP: 95.57.120.108

Edit: one more with "Spain" ransom feature

MD5: 909690e0b6884617c25717f4213ad4df

IP: 95.57.120.59
You do not have the required permissions to view the files attached to this post.
User avatar
rkhunter
 
Posts: 1145
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: Trojan Ransom / FakePoliceAlert

Postby rkhunter » Wed Jan 25, 2012 9:10 am

Reveton with "Metropolitan Police" ransom downloader feature.
Seems as BH payload.

MD5: 3505F76E1A675F1683AF9B8A775D8C2B
4/43

Image
You do not have the required permissions to view the files attached to this post.
User avatar
rkhunter
 
Posts: 1145
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: Trojan Winlock / Ransom / ScreenLocker

Postby rkhunter » Mon Jan 30, 2012 9:46 am

Reveton - "Metropolitan Police" FUD

MD5: 1b4f01e6a54406e571c4bd5cb08b208b
0/43
You do not have the required permissions to view the files attached to this post.
User avatar
rkhunter
 
Posts: 1145
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: Trojan Winlock / Ransom / ScreenLocker

Postby rkhunter » Tue Jan 31, 2012 4:01 pm

Reveton.A with Uk/German/Italian/French pages downloader
You do not have the required permissions to view the files attached to this post.
User avatar
rkhunter
 
Posts: 1145
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: Trojan Ransom / FakePoliceAlert

Postby rkhunter » Tue Feb 07, 2012 7:23 am

Reveton

MD5: 57627c2c58e3ce46034a0b6bcf883dfd
13/43

Image
You do not have the required permissions to view the files attached to this post.
User avatar
rkhunter
 
Posts: 1145
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: Trojan Winlock / Ransom / ScreenLocker

Postby rkhunter » Thu Feb 16, 2012 11:52 am

Fresh 13 Reveton ransomware
You do not have the required permissions to view the files attached to this post.
User avatar
rkhunter
 
Posts: 1145
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: Trojan Winlock / Ransom / ScreenLocker

Postby rkhunter » Wed Feb 22, 2012 1:35 pm

Uk Reveton

MD5: 06b4fe70b207d82459f4146688dca4bf
18/43

MD5: fc6e3eec8ff7686e1a335ff488363c38
2/43
You do not have the required permissions to view the files attached to this post.
User avatar
rkhunter
 
Posts: 1145
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: Trojan Winlock / Ransom / ScreenLocker

Postby rkhunter » Fri Mar 02, 2012 9:13 am

Fresh Reveton - Uk, BH payload

MD5: 0C5ED6D992C7CE93A6837E04ABEDF928
5/42

MD5: 683D67DE50670F0708EBB67BA78CE9DA
0/43
You do not have the required permissions to view the files attached to this post.
User avatar
rkhunter
 
Posts: 1145
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: Trojan Winlock / Ransom / ScreenLocker

Postby rkhunter » Fri Mar 02, 2012 7:23 pm

abuse.ch about Reveton and how it identifies covers for display http://www.abuse.ch/?p=3610
User avatar
rkhunter
 
Posts: 1145
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 6 guests