Home / malware TrojanDownloader:Win32/Renos.IT
First posted on 06 July 2009.
Source: SecurityHomeAliases :
There are no other names known for TrojanDownloader:Win32/Renos.IT.
Explanation :
TrojanDownloader:Win32/Renos.IT is a generic detection for a family of trojans that connect to certain websites in order to download other malware. This may include other TrojanDownloader:Win32/Renos components, and rogue antivirus software such as Trojan:Win32/FakeSecSen or Trojan:Win32/FakeXPA.
Symptoms
System ChangesThe following system changes may indicate the presence of this malware:The presence of the following registry modifications:
Value: MSFox
With data: <full pathname of Win32/Renos.gen!BB>
In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Value: Str<digit>
With data: <base64 encoded string> (for example, "x6tveq8ngbtmpknqirnnqauudxwx")
In subkey: HKLMSoftwareMozillaMSFoxSince this is a generic detection, there are no additional and common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).
TrojanDownloader:Win32/Renos.IT is a generic detection for a family of trojans that connect to certain websites in order to download other malware. This may include other TrojanDownloader:Win32/Renos components, and rogue antivirus software such as Trojan:Win32/FakeSecSen or Trojan:Win32/FakeXPA.
Installation
When executed, TrojanDownloader:Win32/Renos.IT runs from its original location and modifies the registry to run the trojan downloader at each Windows start. Adds value: "MSFox" (or "Cognac")With data: "<full pathname of Win32/Renos.gen!BB>"To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun Additional registry modifications are made similar to the following example: Adds value: Str<digit>With data: <base64 encoded string> (for example, "x6tveq8ngbtmpknqirnnqauudxwx")To subkey: HKLMSoftwareMozillaMSFox
Payload
Downloads and Executes Arbitrary MalwareOnce installed, the trojan may connect to one of a number of remote Web servers, including the following, from which it may download and execute other malware: image-big-library.com
22.250.166.222
167.156.220.15
erabl-pict.comimagerepository.comimages-base.com The downloaded malware may include other TrojanDownloader:Win32/Renos components, and rogue antivirus software such as Trojan:Win32/FakeSecSen or Trojan:Win32/FakeXPA. With some of these servers, it may post system information to the server before downloading the malware, while with others it simply downloads the malware without posting any information. The downloaded malware is generally saved to the %temp% directory, using filenames such as "~tmpa.exe".
Analysis by Scott MolenkampLast update 06 July 2009