Home / malwarePDF  

Trojan.Renos.PGZ


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.Renos.PGZ is also known as Trojan-Downloader.Win32.FraudLoad.xdjj, Win32/TrojanDownloader.FakeAlert.AYY, Trojan.FakeAV!gen24.

Explanation :

Trojan.Renos.PGZ is a trojan downloader which connects to certain websites in order to download and execute malicious files.

Modifies Internet Explorer settings (to lower security settings) by modifying the following registry entries:

- HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsoneMapUNCAsIntranet -> 0x00000001- HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsoneMapAutoDetect -> 0x00000001- HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsoneMapProxyBypass -> 0x00000001- HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsoneMapIntranetName -> 0x00000001

It creates and executes the file: %TEMP%[3-random-letters]..bat, which tries to delete the downloader until succeeds, after which deletes itself.

Downloads from:

http://moviearts[removed].com http://first[removed]arts.com http://sportfi[removed]arts.com

three files to %TEMP%[3-random-letters].exe (ex. kgl.exe, kgj.exe, kgk.exe) and executes them.

The downloaded files are detected by BitDefender as Trojan.Renos.PHH.
Some of them will download additional files from sites such as:

http://straightdi[removed].com http://allsh[removed].com http://reseller[removed].com

One of the downloaded files is a keylogger which sends the list of keystrokes to http://cyber[removed].com

A symptom of infection is the presence of new scheduled tasks in C:WindowsTasks directory and
of a random key under the HKCUSoftwareMicrosoftWindowsCurrentVersionRun registry key. These are added to ensure that the malware will run at system startup.

Last update 21 November 2011

 

TOP