Home / malwarePDF  

Trojan-Downloader:W32/Renos.GEN


First posted on 22 October 2008.
Source: SecurityHome

Aliases :

There are no other names known for Trojan-Downloader:W32/Renos.GEN.

Explanation :

This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.

right]This trojan downloads rogueware, which attempts to persuade the user to buy a particular rogue antispyware application by pretending that the system is infected with spyware.

Installation
This trojan may arrive on the system as part of another malware's payload, from a user-initiated download, or through other means. It does not create launchpoints or autostarts; the user must actively launch the malware for it to install and infect the system.


Execution
On execution, this trojan will modify registry keys in order to bypass the Windows firewall, then download a rogue antispyware application from a remote server and save it onto the system, most commonly at

  • %windir%system32winil104552502. exe

The actual save location may vary depending on the variant.

The malware then creates a system tray icon that periodically displays the following message:

  • "Your computer is infected!
    Windows has detected spyware infection!
    It is recommended to use special antispyware tools to prevent data loss.
    Windows will now download and install the most up-to-date antispyware for you.
    Click here to protect your computer from spyware!"

Clicking on the message will launch the downloaded rogue antispyware application.

Last update 22 October 2008

 

TOP