Win32/Reveton

Forum for analysis and discussion about malware.
Win32:Virut
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm

Re: Win32/Reveton

Post by Win32:Virut » Wed Jul 31, 2013 4:14 pm

Sorry, it's Live Security Professional fakeav.

User avatar
Xylitol
Global Moderator
Posts: 1670
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Win32/Reveton

Post by Xylitol » Wed Jul 31, 2013 11:31 pm

Win32:Virut wrote:Sorry, it's Live Security Professional fakeav.
From your last post ? no it's Reveton confirmed.

I can't attach sample because the uploader is broken for the moment so here are videos
Cool Exploit Kit leading to Reveton: http://www.youtube.com/watch?v=BitCYj2GExE
Unpacking the sample grabbed + lolav: http://www.youtube.com/watch?v=HA6FzT-e4nU

Win32:Virut
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm

Re: Win32/Reveton

Post by Win32:Virut » Thu Aug 01, 2013 4:21 pm

Xylitol wrote:
Win32:Virut wrote:Sorry, it's Live Security Professional fakeav.
From your last post ? no it's Reveton confirmed.

I can't attach sample because the uploader is broken for the moment so here are videos
Cool Exploit Kit leading to Reveton: http://www.youtube.com/watch?v=BitCYj2GExE
Unpacking the sample grabbed + lolav: http://www.youtube.com/watch?v=HA6FzT-e4nU
I tested it while ago, it's Live Security Professional.

User avatar
EP_X0FF
Global Moderator
Posts: 4814
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Win32/Reveton

Post by EP_X0FF » Thu Aug 01, 2013 5:13 pm

Win32:Virut wrote:rundll32.exe path,XFG00

https://www.virustotal.com/en/file/90b6 ... 375267929/

I was just browsing some websites and got infected, maybe some site was infected.
Reveton. In attach decrypted.

https://www.virustotal.com/en/file/4f2e ... 375377166/
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

Win32:Virut
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm

Re: Win32/Reveton

Post by Win32:Virut » Thu Aug 01, 2013 6:23 pm

@EP_X0FF and Xylitol

How do you run it?

I use WIN + R, then rundll32.exe path-to-file,XFG00

and Live Security Professional.

Image

User avatar
EP_X0FF
Global Moderator
Posts: 4814
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Win32/Reveton

Post by EP_X0FF » Fri Aug 02, 2013 2:21 am

Any log or dump? Because there is no FakeAV observed not in dropper not in infected machine. Only Reveton crap https://www.virustotal.com/en/file/43f2 ... 375409885/

http://anubis.iseclab.org/?action=resul ... ormat=html
Ring0 - the source of inspiration

User avatar
S!Ri
Posts: 5
Joined: Fri Sep 02, 2011 7:36 am

Re: Win32/Reveton

Post by S!Ri » Fri Aug 02, 2013 8:59 am

Hello,

Unpacked is the dropper (X:\PGP\Programming\JimmMonsterNew\ServerWinlock\Source\SysUtils.pas) :twisted:
Just rename to *.cpl and double click

dump is the rogue binary (dll, not executable, not rebuilt)
(many references to "OPG Security")
You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4814
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Win32/Reveton

Post by EP_X0FF » Fri Aug 02, 2013 3:54 pm

S!Ri wrote:(X:\PGP\Programming\JimmMonsterNew\ServerWinlock\Source\SysUtils.pas)
Seen earlier here http://www.kernelmode.info/forum/viewto ... 149#p17149
Ring0 - the source of inspiration

User avatar
thisisu
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Contact:

Re: Win32/Reveton

Post by thisisu » Fri Aug 02, 2013 8:47 pm

https://www.virustotal.com/en/file/014f ... 375475881/

MD5 : df50510b6bac36f7b8901796b618ef8f

PC was infected with Pihar.C, ZeroAccess Recycler, and looks like this is ransomware but it never displayed for me (sorry no pic).

Legit service used for startup:

Code: Select all

S2 Winmgmt; C:\Windows\system32\config\SYSTEM~1\3950568.dll [204800 2013-02-05] (Microsoft Corporation)
You do not have the required permissions to view the files attached to this post.

Horgh
Posts: 37
Joined: Fri Dec 07, 2012 9:48 am
Location: France

Re: Win32/Reveton

Post by Horgh » Thu Aug 29, 2013 8:45 pm

Trojan:Win32/Reveton.N
You do not have the required permissions to view the files attached to this post.

Post Reply