PWS:Win32/Reveton.B

PWS:Win32/Reveton.B is password stealing Trojan that is a component of the ransomware. PWS:Win32/Reveton.B uses exploit kits like Blacole as an infection vector. Once an exploit kit installs PWS:Win32/Reveton.B on a targeted computer system, the ransomware will start contacting its command and control (C&C) server. PWS:Win32/Reveton.B downloads information about the system's external IP address, for example the Internet provider, city, and country. PWS:Win32/Reveton.B additionally downloads a DLL which makes the lock screen. The downloaded information is compressed and stored in a container in %APPDATA%\[RANDOM NAME].pad so it is available offline. PWS:Win32/Reveton.B is also equipped with its own portable executable-loader; it is able to load the DLL directly from the container. PWS:Win32/Reveton.B locks the vulnerable computer, shows a fake warning message and asks the victim to pay the so-called fine to restore access to the PC. PWS:Win32/Reveton.B downloads the password-stealer component from the C&C server and executes it in memory. PWS:Win32/Reveton.B can steals passwords for a comprehensive selection of file downloaders, remote control applications, FTP, poker, chat and e-mail clients, as well as passwords stored by web browsers and in protected storage. However, as PWS:Win32/Reveton.B can load almost any DLL served by the C&C on the fly, this might change.