Home / malwarePDF  

TrojanDownloader:Win32/Renos.IO


First posted on 18 June 2009.
Source: SecurityHome

Aliases :

There are no other names known for TrojanDownloader:Win32/Renos.IO.

Explanation :

TrojanDownloader:Win32/Renos.IO is a generic detection for a family of trojans that connect to certain websites in order to download other malware. This may include other TrojanDownloader:Win32/Renos components, and rogue antivirus software such as Trojan:Win32/FakeSecSen or Trojan:Win32/FakeXPA. Note: Reports of Rogue Antivirus programs have been more prevalent as of late. These are programs that generate misleading alerts and false detections in order to convince users to purchase illegitimate security software. Some of these programs may display product names or logos in an apparently unlawful attempt to impersonate Microsoft products.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following registry modifications:
    Value: MSFox
    With data: <full pathname of Win32/Renos.IO>
    In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun

    Value: Str<digit>
    With data: <base64 encoded string> (for example, "x6tveq8ngbtmpknqirnnqauudxwx")
    In subkey: HKLMSoftwareMozillaMSFox
  • Since this is a generic detection, there are no additional and common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).


    • TrojanDownloader:Win32/Renos.IO is a generic detection for a family of trojans that connect to certain websites in order to download other malware. This may include other TrojanDownloader:Win32/Renos components, and rogue antivirus software such as Trojan:Win32/FakeSecSen or Trojan:Win32/FakeXPA.

    Installation
    When executed, TrojanDownloader:Win32/Renos.IO runs from its original location and modifies the registry to run the trojan downloader at each Windows start. Adds value: "MSFox" (or "Cognac")With data: "<full pathname of Win32/Renos.IO>"To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun Additional registry modifications are made similar to the following example: Adds value: Str<digit>With data: <base64 encoded string> (for example, "x6tveq8ngbtmpknqirnnqauudxwx")To subkey: HKLMSoftwareMozillaMSFox

    Payload
    Downloads and Executes Arbitrary MalwareOnce installed, the trojan may connect to one of a number of remote Web servers, including the following, from which it may download and execute other malware: image-big-library.com
    22.250.166.222
    167.156.220.15
    erabl-pict.comimagerepository.comimages-base.com The downloaded malware may include other TrojanDownloader:Win32/Renos components, and rogue antivirus software such as Trojan:Win32/FakeSecSen or Trojan:Win32/FakeXPA. With some of these servers, it may post some system information to the server before downloading the malware, while with others it simply downloads the malware without posting any information. The downloaded malware is generally saved to the %temp% directory, using filenames such as "~tmpa.exe".

    Analysis by Hamish O'Dea

    Last update 18 June 2009

     

    TOP

    Malware :

    Family: