Home / malwarePDF  

TrojanDownloader:Win32/Renos.NS


First posted on 23 November 2010.
Source: SecurityHome

Aliases :

There are no other names known for TrojanDownloader:Win32/Renos.NS.

Explanation :

TrojanDownloader:Win32/Renos.NS is a generic detection for a family of trojans that connect to certain websites in order to download arbitrary files. This may include other TrojanDownloader:Win32/Renos components, and rogue antivirus software such as Rogue:Win32/FakeSecSen or Rogue:Win32/FakeXPA.
Top

TrojanDownloader:Win32/Renos.NS is a generic detection for a family of trojans that connect to certain websites in order to download arbitrary files. This may include other TrojanDownloader:Win32/Renos components, and rogue antivirus software such as Rogue:Win32/FakeSecSen or Rogue:Win32/FakeXPA. TrojanDownloader:Win32/Renos.NS may be distributed in the wild masquerading as a video codec. For an example, please see the image below: It has also been observed being downloaded to affected machines after users are prompted by fake online security scanners. See below for examples of this method of distribution being utilized in the wild: InstallationWhen executed, TrojanDownloader:Win32/Renos.NS runs from its original location and modifies the registry to run the trojan downloader at each Windows start (for example): In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunSets value: "MSFox" (or "Cognac")With data: "<full pathname of Win32/Renos.NS>" Additional registry modifications are made similar to the following example: In subkey: HKLM\Software\Mozilla\MSFoxSets value: Str<digit>With data: <base64 encoded string> (for example, "x6tveq8ngbtmpknqirnnqauudxwx") Note:These registry modifications may vary according to minor variant and the values listed may be different from those given in these examples. Payload Downloads and executes arbitrary filesOnce installed, the trojan may connect to one of a number of remote web servers from which it may download and execute other files. In the wild, we have observed servers at the following locations being contacted in this manner by TrojanDownloader:Win32/Renos.NS:

  • image-big-library.com
  • 22.250.166.222
  • 167.156.220.15
  • erabl-pict.com
  • imagerepository.com
  • images-base.com
  • the-exefiles.com
  • freeexefiles.com
  • exefileformat.com
  • newexefile.com
  • Files downloaded may include other TrojanDownloader:Win32/Renos components, and rogue antivirus software such as Rogue:Win32/FakeSecSen or Rogue:Win32/FakeXPA. TrojanDownloader:Win32/Renos.NS has also been observed downloading files and other content associated with advertising and browser redirection. TrojanDownloader:Win32/Renos may post system information to the remote server before downloading files. The downloaded malware is generally saved to the %temp% directory, using filenames such as "~tmpa.exe".

    Analysis by Hamish O'Dea

    Last update 23 November 2010

     

    TOP