Home / malwarePDF  

TrojanDownloader:Win32/Renos.KR


First posted on 25 February 2010.
Source: SecurityHome

Aliases :

There are no other names known for TrojanDownloader:Win32/Renos.KR.

Explanation :

TrojanDownloader:Win32/Renos.KR is a generic detection for a family of trojans that connect to certain websites in order to download arbitrary files. This may include other TrojanDownloader:Win32/Renos components, and rogue antivirus software such as Trojan:Win32/FakeSecSen or Trojan:Win32/FakeXPA.
Top

TrojanDownloader:Win32/Renos.KR is a generic detection for a family of trojans that connect to certain websites in order to download arbitrary files. This may include other TrojanDownloader:Win32/Renos components, and rogue antivirus software such as Trojan:Win32/FakeSecSen or Trojan:Win32/FakeXPA. TrojanDownloader:Win32/Renos.KR may be distributed in the wild masquerading as a video codec. For an example, please see the image below: It has also been observed being downloaded to affected machines after users are prompted by fake online security scanners. See below for examples of this method of distribution being utilized in the wild: InstallationWhen executed, TrojanDownloader:Win32/Renos.KR runs from its original location and modifies the registry to run the trojan downloader at each Windows start (for example): Adds value: "MSFox" (or "Cognac")With data: "<full pathname of Win32/Renos.KR>"To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Additional registry modifications are made similar to the following example: Adds value: Str<digit>With data: <base64 encoded string> (for example, "x6tveq8ngbtmpknqirnnqauudxwx")To subkey: HKLM\Software\Mozilla\MSFox Note: These registry modifications may vary according to minor variant and the values listed may be different from those given in these examples. Payload Downloads and Executes Arbitrary FilesOnce installed, the trojan may connect to one of a number of remote Web servers from which it may download and execute other files. In the wild, we have observed servers at the following locations being contacted in this manner by TrojanDownloader:Win32/Renos.KR: image-big-library.com
22.250.166.222
167.156.220.15
erabl-pict.comimagerepository.comimages-base.comthe-exefiles.comfreeexefiles.comexefileformat.comnewexefile.com Files downloaded may include other TrojanDownloader:Win32/Renos components, and rogue antivirus software such as Trojan:Win32/FakeSecSen or Trojan:Win32/FakeXPA. TrojanDownloader:Win32/Renos.KR has also been observed downloading files and other content associated with advertising and browser redirection. TrojanDownloader:Win32/Renos may post system information to the remote server before downloading files. The downloaded malware is generally saved to the %temp% directory, using filenames such as "~tmpa.exe".

Analysis by Hamish O'Dea

Last update 25 February 2010

 

TOP