A forum for reverse engineering, OS internals and malware analysis 

Win32/Reveton

Forum for analysis and discussion about malware.

Re: Win32/Reveton

 #20319  by Xylitol
 Wed Jul 31, 2013 11:31 pm
Win32:Virut wrote:Sorry, it's Live Security Professional fakeav.
From your last post ? no it's Reveton confirmed.

I can't attach sample because the uploader is broken for the moment so here are videos
Cool Exploit Kit leading to Reveton: http://www.youtube.com/watch?v=BitCYj2GExE
Unpacking the sample grabbed + lolav: http://www.youtube.com/watch?v=HA6FzT-e4nU

Re: Win32/Reveton

 #20325  by Win32:Virut
 Thu Aug 01, 2013 4:21 pm
Xylitol wrote:
Win32:Virut wrote:Sorry, it's Live Security Professional fakeav.
From your last post ? no it's Reveton confirmed.

I can't attach sample because the uploader is broken for the moment so here are videos
Cool Exploit Kit leading to Reveton: http://www.youtube.com/watch?v=BitCYj2GExE
Unpacking the sample grabbed + lolav: http://www.youtube.com/watch?v=HA6FzT-e4nU
I tested it while ago, it's Live Security Professional.

Re: Win32/Reveton

 #20330  by EP_X0FF
 Thu Aug 01, 2013 5:13 pm
Win32:Virut wrote:rundll32.exe path,XFG00

https://www.virustotal.com/en/file/90b6 ... 375267929/

I was just browsing some websites and got infected, maybe some site was infected.
Reveton. In attach decrypted.

https://www.virustotal.com/en/file/4f2e ... 375377166/
Attachments
pass: infected
(54.85 KiB) Downloaded 96 times

Re: Win32/Reveton

 #20333  by Win32:Virut
 Thu Aug 01, 2013 6:23 pm
@EP_X0FF and Xylitol

How do you run it?

I use WIN + R, then rundll32.exe path-to-file,XFG00

and Live Security Professional.

Image

Re: Win32/Reveton

 #20340  by S!Ri
 Fri Aug 02, 2013 8:59 am
Hello,

Unpacked is the dropper (X:\PGP\Programming\JimmMonsterNew\ServerWinlock\Source\SysUtils.pas) :twisted:
Just rename to *.cpl and double click

dump is the rogue binary (dll, not executable, not rebuilt)
(many references to "OPG Security")
Attachments
(911.47 KiB) Downloaded 87 times
(55.28 KiB) Downloaded 95 times

Re: Win32/Reveton

 #20353  by thisisu
 Fri Aug 02, 2013 8:47 pm
https://www.virustotal.com/en/file/014f ... 375475881/

MD5 : df50510b6bac36f7b8901796b618ef8f

PC was infected with Pihar.C, ZeroAccess Recycler, and looks like this is ransomware but it never displayed for me (sorry no pic).

Legit service used for startup:
Code: Select all
S2 Winmgmt; C:\Windows\system32\config\SYSTEM~1\3950568.dll [204800 2013-02-05] (Microsoft Corporation)
Attachments
pass: infected
(93.06 KiB) Downloaded 92 times

Re: Win32/Reveton

 #20640  by Horgh
 Thu Aug 29, 2013 8:45 pm
Trojan:Win32/Reveton.N
Attachments
infected
(73.13 KiB) Downloaded 106 times
  • 1
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
 Return to “Malware”