The desktop is locked by a message claiming to be from the local law enforcement agency. The same message demands that the user pays a fine via uKash.
The presence of the following files:
%USERPROFILE%\\Start Menu\\Programs\\Startup\\<reveton_filename>.dll.lnk (Windows XP)
%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\<reveton_filename>dll.lnk (Windows 7)
Please use the attached removal tool to restore access to your PC.
Copy it on a flash drive then boot the affected computer in Safe Mode with Command Prompt and log into the account of the affected user. This is extremely important as your desktop is – most likely – locked by the malware.
Use the command prompt to launch the removal tool from the removable medium and run it. The scanning process is extremely targeted to the specific areas of the system which are affected by this particular e-threat, so the whole process should only take between five and ten seconds.
Reboot the computer and start it normally. Your desktop should now be unlocked.
Andrei Nacu, virus researcher; Vlad Craciun, virus researcher
In order to block access to the system, the Trojan Adds itself to the Winlogon\\Shell registry key in the Current User branch and denies access to Windows Explorer for the current user. This way, the user is locked on the outside, with no chance to run an antivirus solution or a removal tool.