Tuesday 22 January 2013

Trojan:Win32/Reveton

[root@heretyghyuiiiojk www]#
What a cool hostname.

"v" is GeoLiteCity.dat mixed with some php.
images.rar is a payload downloaded by Reveton (cf here)
The sql database have 4 tables: `balances`, `content`, `geoip_isp`, `stat_ips`

Just the basic, landing for Italian ransom.

And traces of german landing

Code comments and variables name are in english

By looking the code source of pages i've see that "shared.php" is used as panel with GET req only

DB content:

Codes:
There is also a feature to erase vouchers.

3 comments: