First posted on 14 November 2007.
Source: SecurityHome
Trojan:W32/Renos.H is also known as Trojan.Win32.Qhost.TM.
Trojan:W32/Renos.H attempts to lure the computer user into downloading "rogueware" by presenting pop-up windows that warn of a supposed threat.
In addition, Renos.H modifies the computer's hosts-file in such a way that accessing websites of many antivirus vendors is blocked.
When Trojan:W32/Renos.H is run it copies itself to four locations on the hard drive.
- %userprofile%Start MenuProgramsStartupautorun.exe
- %userprofile%Start MenuProgramsStartupsystem.exe
- %windir%system32printer.exe
- %windir%system32WinAvXX.exe
It adds the following registry keys so that WinAvXX.exe and printer.exe are automatically run during the system startup.
- HKCUSoftwareMicrosoftWindowsCurrentVersionRun
WinAVX = C:WINDOWSsystem32WinAvXX.exe - HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
Shell = Explorer.exe C:WINDOWSsystem32printer.exe
Programs and shortcuts in the %userprofile%Start MenuProgramsStartup folder are automatically executed on startup. Therefore the other two copies of the trojan are also run every time the infected computer is started; however only one copy will remain running at any time. This makes manual disinfection of the computer more difficult as all four copies of the file must be deleted, if even one remains it will copy itself back into all four locations.
To further hinder it's removal, Renos makes the following changes to Windows Registry:
- HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
DisableTaskMgr = 00000001 - HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
DisableRegistryTools = 00000001 - HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
NoControlPanel = 00000001 - HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
NoWindowsUpdate = 00000001
The above keys disable access to the task manager, registry tools (regedit.exe and regedit32.exe), control panel, and Windows updates.
Winav.exe is added to the list of authorized applications for the Windows XP firewall. Winav.exe is not a part of the trojan, so it is likely part of the software that it wants the computer user to download.
Trojan:W32/Renos.H modifies the system to prevent the infected computer from accessing many websites, most of them antivirus related. This is accomplished by adding the following lines into the hosts file located by default in %windir%system32driversetc under Windows NT/2000/XP/Vista:
- 192.168.200.3 ad.doubleclick.net
- 192.168.200.3 ad.fastclick.net
- 192.168.200.3 ads.fastclick.net
- 192.168.200.3 ar.atwola.com
- 192.168.200.3 atdmt.com
- 192.168.200.3 avp.ch
- 192.168.200.3 avp.com
- 192.168.200.3 avp.ru
- 192.168.200.3 awaps.net
- 192.168.200.3 banner.fastclick.net
- 192.168.200.3 banners.fastclick.net
- 192.168.200.3 ca.com
- 192.168.200.3 click.atdmt.com
- 192.168.200.3 clicks.atdmt.com
- 192.168.200.3 customer.symantec.com
- 192.168.200.3 dispatch.mcafee.com
- 192.168.200.3 download.mcafee.com
- 192.168.200.3 download.microsoft.com
- 192.168.200.3 downloads.microsoft.com
- 192.168.200.3 downloads1.kaspersky-labs.com
- 192.168.200.3 downloads2.kaspersky-labs.com
- 192.168.200.3 downloads3.kaspersky-labs.com
- 192.168.200.3 downloads4.kaspersky-labs.com
- 192.168.200.3 downloads-us1.kaspersky-labs.com
- 192.168.200.3 downloads-us2.kaspersky-labs.com
- 192.168.200.3 downloads-us3.kaspersky-labs.com
- 192.168.200.3 engine.awaps.net
- 192.168.200.3 fastclick.net
- 192.168.200.3 f-secure.com
- 192.168.200.3 ftp.avp.ch
- 192.168.200.3 ftp.downloads1.kaspersky-labs.com
- 192.168.200.3 ftp.downloads2.kaspersky-labs.com
- 192.168.200.3 ftp.downloads3.kaspersky-labs.com
- 192.168.200.3 ftp.f-secure.com
- 192.168.200.3 ftp.kasperskylab.ru
- 192.168.200.3 ftp.sophos.com
- 192.168.200.3 go.microsoft.com
- 192.168.200.3 ids.kaspersky-labs.com
- 192.168.200.3 kaspersky.com
- 192.168.200.3 kaspersky-labs.com
- 192.168.200.3 liveupdate.symantec.com
- 192.168.200.3 liveupdate.symantecliveupdate.com
- 192.168.200.3 mast.mcafee.com
- 192.168.200.3 mcafee.com
- 192.168.200.3 media.fastclick.net
- 192.168.200.3 microsoft.com
- 192.168.200.3 msdn.microsoft.com
- 192.168.200.3 my-etrust.com
- 192.168.200.3 nai.com
- 192.168.200.3 networkassociates.com
- 192.168.200.3 norton.com
- 192.168.200.3 office.microsoft.com
- 192.168.200.3 pandasoftware.com
- 192.168.200.3 phx.corporate-ir.net
- 192.168.200.3 rads.mcafee.com
- 192.168.200.3 secure.nai.com
- 192.168.200.3 securityresponse.symantec.com
- 192.168.200.3 service1.symantec.com
- 192.168.200.3 sophos.com
- 192.168.200.3 spd.atdmt.com
- 192.168.200.3 support.microsoft.com
- 192.168.200.3 symantec.com
- 192.168.200.3 trendmicro.com
- 192.168.200.3 update.symantec.com
- 192.168.200.3 updates.symantec.com
- 192.168.200.3 updates1.kaspersky-labs.com
- 192.168.200.3 updates2.kaspersky-labs.com
- 192.168.200.3 updates3.kaspersky-labs.com
- 192.168.200.3 updates4.kaspersky-labs.com
- 192.168.200.3 updates5.kaspersky-labs.com
- 192.168.200.3 us.mcafee.com
- 192.168.200.3 vil.nai.com
- 192.168.200.3 viruslist.com
- 192.168.200.3 viruslist.ru
- 192.168.200.3 virusscan.jotti.org
- 192.168.200.3 virustotal.com
- 192.168.200.3 windowsupdate.microsoft.com
- 192.168.200.3 www.avp.ch
- 192.168.200.3 www.avp.com
- 192.168.200.3 www.avp.ru
- 192.168.200.3 www.awaps.net
- 192.168.200.3 www.ca.com
- 192.168.200.3 www.fastclick.net
- 192.168.200.3 www.f-secure.com
- 192.168.200.3 www.grisoft.com
- 192.168.200.3 www.kaspersky.com
- 192.168.200.3 www.kaspersky.ru
- 192.168.200.3 www.kaspersky-labs.com
- 192.168.200.3 www.mcafee.com
- 192.168.200.3 www.microsoft.com
- 192.168.200.3 www.my-etrust.com
- 192.168.200.3 www.nai.com
- 192.168.200.3 www.networkassociates.com
- 192.168.200.3 www.pandasoftware.com
- 192.168.200.3 www.sophos.com
- 192.168.200.3 www.symantec.com
- 192.168.200.3 www.symantec.com
- 192.168.200.3 www.trendmicro.com
- 192.168.200.3 www.viruslist.com
- 192.168.200.3 www.viruslist.ru
- 192.168.200.3 www.virustotal.com
- 192.168.200.3 www3.ca.com
Renos.H also changes Internet Explorer's Home page, default search engine, and enables browser extensions and balloon tips. The trojan also changes the Internet security zone settings to enable ActiveX controls.
When the trojan is running it presents the following dialog window every five minutes. The security issue it warns of does not actually exist and is just a hoax to get the user to download rogueware.
See the Rogue Antispyware description for additional details.
Earlier versions of "Renos" were not intrinsically malicious towards the computer's OS, but were fraudulent. Current generations alter the Windows Hosts file and disable Windows Update, classifying them as Malware. See the Renos description for information on earlier versions.
Last update 14 November 2007
TOP