Home / malware TrojanDownloader:Win32/Renos.HB
First posted on 14 September 2017.
Source: MicrosoftAliases :
There are no other names known for TrojanDownloader:Win32/Renos.HB.
Explanation :
TrojanDownloader:Win32/Renos.HB is a trojan that creates desktop shortcuts to adult content sites and downloads rogue security software from predefined websites.
Installation
TrojanDownloader:Win32/Renos.HB may be installed by other malware. When run, it drops a copy of itself as the following:\msiconf.exe Note - refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32. The registry is modified to run the dropped trojan at each Windows start. Adds value: "msiexec.exe"With data: "msiconf.exe"To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Payload
Creates desktop shortcuts to adult content sites
TrojanDownloader:Win32/Renos.HB creates shortcuts to adult content Web sites on the desktop for all user profiles by creating shortcut files as the following: c:\documents and settings\all users\desktop\best bdsm p0rn.url
c:\documents and settings\all users\desktop\gay fetish sex.url Contacts remote website
In the wild, TrojanDownloader:Win32/Renos.HB has been observed connecting with the following remote websites to download additional programs: advancedvirusremover.com rapidantivirus2009.com The above mentioned sites are associated with the distribution of rogue security software.
Analysis by Patrick NolanLast update 14 September 2017
