Home / malwarePDF  

TrojanDownloader:Win32/Renos.HL


First posted on 16 April 2009.
Source: SecurityHome

Aliases :

TrojanDownloader:Win32/Renos.HL is also known as Also Known As:Pro Antispyware 2009 (other), MS AntiSpyware 2009 (other), W32/DLoader.NYHM (Norman), Mal/FakeAV-AH (Sophos), Win32/Adware.MSAntispyware2009 (ESET), Downloader.MisleadApp (Symantec), Trojan.Fakeavalert (Symantec), Trojan-Downloader.Win32.FraudLoad.dzd (Kaspersky), Generic Downloader.x (McAfee).

Explanation :

Trojan:Win32/Renos.HL is an installer that connects to specified websites to download and install a fake antivirus scanner. This scanner is detected as Trojan:Win32/WinSpywareProtect. Note 6th April 2009: We have received reports that TrojanDownloader:Win32/Renos.HL has been distributed attached to an email that masquerades as a message from Microsoft. The message reads as follows: From: Microsoft Computer Safety Department
Subject (or similar): Microsoft Alert (Case#: wlTR6Zm) Dear Windows User,Starting April 1st, 2009 the "Comficker" virus began infecting Microsoft customers very quickly.Microsoft was alerted by your Internet provider that your computer is showing signs of being infected.To prevent further infection we recommend removing the infection using an antivirus programWe are giving all effected Microsoft customers a free antispyware scan in order to remove any infections from their system.Please visit the Microsoft Windows System Security Scanner website by clicking here to start scanning your computer.The process takes under a minute and will prevent your information from being stolen.We appreciate your cooperation in this matter. RegardsMicrosoft Windows Representative #10(Willa)
Windows Net Security Division
Email Ref ID: g9BK0f
This email was not sent by Microsoft and is an attempt to use the current interest and concern over Win32/Conficker in order to persuade users to download and install arbitrary files of the attacker's choice - in this case, Trojan:Win32/Renos.HL and in turn Trojan:Win32/WinSpywareProtect. Additional information on how to help verify the legitimacy of a Microsoft e-mail can be found here:http://www.microsoft.com/protect/yourself/phishing/msemail.mspx

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following registry modifications (for example):
    • Under key: HKCUSoftware<software company name>upd
    Adds value: Started
    With data: <8 bytes> (for example C9 95 98 1E 73 62 26 41)
    Adds value: Ready
    With data: 0 Under key: HKCUSoftware<software company name><fake scanner name>
    Adds value: lid43211q75rerqq
    With data: “-1”Adds value: pid
    With data: <random digits> (for example 11020)
    Adds value: psid
    With data: “1” or “123” or “0” Examples of <software company name> include:
    Solt Lake Software
    CrucialSoft Ltd Note: <fake scanner name> is a product name, such as one of the examples listed above (i.e. Pro Antispyware 2009 or MS AntiSpyware 2009).
  • The display of the following message:


    • Trojan:Win32/Renos.HL is an installer that connects to specified websites to download and install a fake antivirus scanner. This scanner is detected as Trojan:Win32/WinSpywareProtect.

    Installation
    Trojan:Win32/Renos.HL runs from its original location. It creates the following registry entry to ensure that it will run on system startup:
    Under key: HKCUSoftwareMicrosoftWindowsCurrentVersionRun
    Adds value: Installer
    With data: <full pathname of malware>

    Payload
    Downloads and Installs Rogue Security SoftwareWhen executed, Trojan:Win32/Renos.HL may display a dialog, similar to the one shown below, prompting the user to choose from one of a number of installation languages, and to click Continue.Once the user has performed the actions suggested by the dialog, it then connects to a specified website to download and install the fake scanner. Examples of websites used include the following:
  • dl.as-storage.net
  • dl.ms-antivir-scan.com
  • dl.ms-scanner-antivir.com
    • Some variants of the malware silently attempt to download the fake scanner without displaying a dialog. The malware may also contact further websites in order to update download statistics. Examples of these include:
  • int.sysproreport1.com
  • int.sysproreport2.com
  • int.proreportms1.com
  • int.proreportms2.com
  • int.msproreport1.com
    • The fake scanner regularly changes its branding and graphical layout. The following names have been observed being used:
  • Pro Antispyware 2009
  • MS AntiSpyware 2009
    • Additional InformationDuring installation, TrojanDownloader:Win32/Renos.HL may create registry entries such as the following: Under key: HKCUSoftware<software company name>upd
    Adds value: Started
    With data: <8 bytes> (for example C9 95 98 1E 73 62 26 41)
    Adds value: Ready
    With data: 0 Under key: HKCUSoftware<software company name><fake scanner name>
    Adds value: lid
    With data: “-1”
    Adds value: pid
    With data: <random digits> (for example 11020)
    Adds value: psid
    With data: “1” or “123” or “0” Examples of <software company name> include:
    "Solt Lake Software"
    "CrucialSoft Ltd" Note: <fake scanner name> is a product name, such as one of the examples listed above (i.e. Pro Antispyware 2009 or MS AntiSpyware 2009). So an example registry entry might be
    HKCUSoftwareSolt Lake SoftwarePro Antispyware 2009lid
    or
    HKCUSoftwareCrucialSoft LtdMS AntiSpyware 2009lid.

    Analysis by David Wood

    Last update 16 April 2009

     

    TOP

    Malware :

    Family: