5 Replies Latest reply on Sep 2, 2012 5:57 AM by makfai

    Trojan W32 Reveton

      http://www.f-secure.com/v-descs/trojan_w32_reveton.shtml

       

      How is it that this ransom trojan could get through McAfee Total Protection on my computer (Win7)?  The only way I could get in was by doing a restore.

       

      All my protections are running and I get auto-updates.  I don't see why this was not intercepted.

        • 1. Re: Trojan W32 Reveton
          Hayton

          The usual method of infection is (as the name Trojan implies) for the dropper code to arrive disguised as something else - an apparently legitimate application. Once you've allowed this to be downloaded and run it has the status of an allowed program as far as the firewall is concerned. There are other infection methods but that's the one most often used and is surprisingly effective.

          1 of 1 people found this helpful
          • 2. Re: Trojan W32 Reveton

            In the link in my original post it says that:

             

            Installation

            Upon execution, it will create the following file:

            • On Windows XP
              %USERPROFILE%\Start Menu\Programs\Startup\<reveton_filename>.dll.lnk
            • On Windows 7
              %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\<reveton_filename>dll.lnk

             

             

            It seems to me that if MS did not have a universal access 'key' (i.e. %USERPROFILE%) to a person's user folder then such a Trojan would be defeated simply by the number of variants of usernames.  Why has this access been created?

            • 3. Re: Trojan W32 Reveton

              Hit again by this but with a different wording this time.

              Can only access computer using safe mode as screen defaults to the ransom page.

              Cannot use Real Time Scanning - switches off as soon as switched on.

              Ran a full scan using McAfee Total Protection in safe mode but nothing detected.  (Not sure why this is the case!)

              Can't find the dll.lnk in the Startup folder.

              Any ideas how to kill this when McAfee cannot even find it?

              • 4. Re: Trojan W32 Reveton
                Hayton

                Stinger is your best bet, and follow that with Malwarebytes. If you can't download anything from the Internet you might try Windows Defender Offline, which needs a dedicated USB drive (it will format it, so be warned). Download it on another PC to the USB drive and boot the infected PC from that drive.

                1 of 1 people found this helpful
                • 5. Re: Trojan W32 Reveton

                  Hayton wrote:

                   

                  Stinger is your best bet, and follow that with Malwarebytes. If you can't download anything from the Internet you might try Windows Defender Offline, which needs a dedicated USB drive (it will format it, so be warned). Download it on another PC to the USB drive and boot the infected PC from that drive.


                  Thanks - very useful.

                   

                  Having done a bit of rooting around I noticed that McAfee had actually quarantined a  file which it identified to be the ZeroAccess (rootkit trojan).  I think the reason that nothing was detected when I ran my full McAfee scan was that McAfee had already quarantined the actual file but the file had done its rootkit damage McAfee would, of course, not detect the damage.  That would explain why I could not find the file %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\<reveton_filename>dll.lnk

                   

                  I am also pretty sure that I now  know how it arrived.  I believe it was disguised as an Adobe Update which even if you click on NO when asked to install will still install the danger file(s).  I suspect this because the computer asked me if I wanted to install the Adobe update but I said NO - I was a bit suspicious and should have clicked on nothing!.  However, the panel did not close when  I selected NO and this made me more suspicious.  I tried End Task in the Task Manager but it would still not end.  I had to reboot to get rid but I believe that by that time clicking even on the NO option had done the damage.

                   

                  I have used the restore option again and that seem to have cleared it up.  I am now running STINGER as you suggested and have downloaded WDO on to a USB.  Good tips!

                   

                  Fortunately, I could use the SAFE MODE (including Network) option so I could get online this time even when the comp was infected.