Home / malware TrojanDownloader:Win32/Renos.HU
First posted on 07 April 2009.
Source: SecurityHomeAliases :
TrojanDownloader:Win32/Renos.HU is also known as Also Known As:Trojan.Win32.Agent.bvqy (Kaspersky), Mal/EncPk-HJ (Sophos), Win32/TrojanDownloader.FakeAlert.ZI (ESET), Win32/Donloz.EW (CA), Generic Downloader.x (McAfee), Downloader.MisleadApp (Symantec).
Explanation :
TrojanDownloader:Win32/Renos.HU is a trojan that connects to certain websites in order to download other malware. This may include other TrojanDownloader:Win32/Renos components, and rogue antivirus software such as Trojan:Win32/FakeSecSen or Trojan:Win32/FakeXPA.
Symptoms
System ChangesThe following system changes may indicate the presence of this malware:The presence of the following registry modifications: Adds value: "d00000002"Adds value: "d00000003"Adds value: "d00000006"
To subkey: HKCUSoftwareCognac"
TrojanDownloader:Win32/Renos.HU is a trojan that connects to certain websites in order to download other malware. This may include other TrojanDownloader:Win32/Renos components, and rogue antivirus software such as Trojan:Win32/FakeSecSen or Trojan:Win32/FakeXPA.
Installation
When executed, TrojanDownloader:Win32/Renos.HU runs from its original location and modifies the registry to run the trojan downloader at each Windows start. Adds value: "Cognac" With data: "<full pathname of TrojanDownloader:Win32/Renos.HU>"To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun TrojanDownloader:Win32/Renos.HU may create the following registry entries to store data for its own use: To subkey: HKCUSoftwareCognac"Adds value: "d00000002"Adds value: "d00000003"Adds value: "d00000006"
Payload
Downloads and Executes Arbitrary MalwareOnce installed, the trojan may connect to one of a number of remote Web servers, including the following, from which it may download and execute other malware: zone-searching.com
imagerepository.com The downloaded malware may include other TrojanDownloader:Win32/Renos components, and rogue antivirus software such as Trojan:Win32/FakeSecSen or Trojan:Win32/FakeXPA. With some of these servers, it may post some system information to the server before downloading the malware, while with others it simply downloads the malware without posting any information. The downloaded malware is generally saved to the %temp% directory, using filenames such as "~tmpa.exe".Additional InformationTrojanDownloader:Win32/Renos.HU may attempt to create the mutex 'NfeAhn02Gc9NqPBvmEc8'.
Analysis by Dan KurcLast update 07 April 2009
