Home / malware TrojanDownloader:Win32/Renos.LR
First posted on 16 June 2010.
Source: SecurityHomeAliases :
TrojanDownloader:Win32/Renos.LR is also known as Win-Trojan/Fakeav.176640.P (AhnLab), W32/FakeAlert.5!Maximus (Authentium (Command, Gen:Variant.Renos.14 (BitDefender), Trojan-Downloader.Win32.CodecPack (Ikarus), Trojan-Downloader.Win32.CodecPack.lch (Kaspersky), Downloader-CEW.b (McAfee), Mal/FakeAV-CX (Sophos), Trojan.FakeAV!gen29 (Symantec).
Explanation :
TrojanDownloader:Win32/Renos.LR is an executable that downloads files from a specific Web site.
Top
TrojanDownloader:Win32/Renos.LR is an executable that downloads files from a specific Web site. Installation TrojanDownloader:Win32/Renos.LR creates the following registry entry to ensure that it is automatically run every time Windows starts: Adds value: "M5T8QL3YW3" With data: "<malware file>" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run It also creates the following registry key:HKCU\Software\M5T8QL3YW3 TrojanDownloader:Win32/Renos.LR also drops the following JOB file that is designed to automatically execute itself every hour for the next 366 days: %windir%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job Payload Downloads arbitrary files TrojanDownloader:Win32/Renos.LR downloads files from the Web site "supertreks.com".
Analysis by Daniel RaduLast update 16 June 2010