A forum for reverse engineering, OS internals and malware analysis 

Win32/Reveton

Forum for analysis and discussion about malware.

Win32/Reveton

 #11038  by rkhunter
 Sun Jan 15, 2012 7:58 am
Interesting case.

Trojan:Win32/Reveton.A,
MD5: 34818ce171ea150b91429ac1dd6fbe49

VT

it sets ActiveDesktop, runs IE and requests FakePoliceAlert,
in result your desktop has view

Image
GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 46.38.58.47
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Sun, 15 Jan 2012 07:20:02 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.2.6-1+lenny13
Content-Encoding: gzip
GET /img/downheader.jpg HTTP/1.1
Accept: */*
Referer: hxxp://46.38.58.47/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 46.38.58.47
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Sun, 15 Jan 2012 07:20:17 GMT
Content-Type: image/jpeg
Content-Length: 60665
Last-Modified: Thu, 08 Dec 2011 22:16:50 GMT
Connection: keep-alive
Accept-Ranges: bytes
Attachments
pass:infected
(149.33 KiB) Downloaded 270 times

Re: Trojan Ransom / FakePoliceAlert

 #11046  by rkhunter
 Sun Jan 15, 2012 5:11 pm
Reveton.A with French ransom feature

MD5: 12b9e1d71739eb99bb02be37887f5cce

13/41

Image

IP: 95.57.120.108

Edit: one more with "Spain" ransom feature

MD5: 909690e0b6884617c25717f4213ad4df

IP: 95.57.120.59
Attachments
pass:infected
(194.87 KiB) Downloaded 134 times
pass: infected
(205.18 KiB) Downloaded 120 times
  • 1
  • 2
  • 3
  • 4
  • 5
  • 16
 Return to “Malware”