Home / malwarePDF  

TrojanDownloader:Win32/Renos.IT


First posted on 06 July 2009.
Source: SecurityHome

Aliases :

There are no other names known for TrojanDownloader:Win32/Renos.IT.

Explanation :

TrojanDownloader:Win32/Renos.IT is a generic detection for a family of trojans that connect to certain websites in order to download other malware. This may include other TrojanDownloader:Win32/Renos components, and rogue antivirus software such as Trojan:Win32/FakeSecSen or Trojan:Win32/FakeXPA.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following registry modifications:
    Value: MSFox
    With data: <full pathname of Win32/Renos.gen!BB>
    In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun

    Value: Str<digit>
    With data: <base64 encoded string> (for example, "x6tveq8ngbtmpknqirnnqauudxwx")
    In subkey: HKLMSoftwareMozillaMSFox
  • Since this is a generic detection, there are no additional and common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).


  • TrojanDownloader:Win32/Renos.IT is a generic detection for a family of trojans that connect to certain websites in order to download other malware. This may include other TrojanDownloader:Win32/Renos components, and rogue antivirus software such as Trojan:Win32/FakeSecSen or Trojan:Win32/FakeXPA.

    Installation
    When executed, TrojanDownloader:Win32/Renos.IT runs from its original location and modifies the registry to run the trojan downloader at each Windows start. Adds value: "MSFox" (or "Cognac")With data: "<full pathname of Win32/Renos.gen!BB>"To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun Additional registry modifications are made similar to the following example: Adds value: Str<digit>With data: <base64 encoded string> (for example, "x6tveq8ngbtmpknqirnnqauudxwx")To subkey: HKLMSoftwareMozillaMSFox

    Payload
    Downloads and Executes Arbitrary MalwareOnce installed, the trojan may connect to one of a number of remote Web servers, including the following, from which it may download and execute other malware: image-big-library.com
    22.250.166.222
    167.156.220.15
    erabl-pict.comimagerepository.comimages-base.com The downloaded malware may include other TrojanDownloader:Win32/Renos components, and rogue antivirus software such as Trojan:Win32/FakeSecSen or Trojan:Win32/FakeXPA. With some of these servers, it may post system information to the server before downloading the malware, while with others it simply downloads the malware without posting any information. The downloaded malware is generally saved to the %temp% directory, using filenames such as "~tmpa.exe".

    Analysis by Scott Molenkamp

    Last update 06 July 2009

     

    TOP