Home / malwarePDF  

TrojanDownloader:Win32/Renos.LR


First posted on 16 June 2010.
Source: SecurityHome

Aliases :

TrojanDownloader:Win32/Renos.LR is also known as Win-Trojan/Fakeav.176640.P (AhnLab), W32/FakeAlert.5!Maximus (Authentium (Command, Gen:Variant.Renos.14 (BitDefender), Trojan-Downloader.Win32.CodecPack (Ikarus), Trojan-Downloader.Win32.CodecPack.lch (Kaspersky), Downloader-CEW.b (McAfee), Mal/FakeAV-CX (Sophos), Trojan.FakeAV!gen29 (Symantec).

Explanation :

TrojanDownloader:Win32/Renos.LR is an executable that downloads files from a specific Web site.
Top

TrojanDownloader:Win32/Renos.LR is an executable that downloads files from a specific Web site. Installation TrojanDownloader:Win32/Renos.LR creates the following registry entry to ensure that it is automatically run every time Windows starts: Adds value: "M5T8QL3YW3" With data: "<malware file>" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run It also creates the following registry key:

  • HKCU\Software\M5T8QL3YW3
  • TrojanDownloader:Win32/Renos.LR also drops the following JOB file that is designed to automatically execute itself every hour for the next 366 days: %windir%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job Payload Downloads arbitrary files TrojanDownloader:Win32/Renos.LR downloads files from the Web site "supertreks.com".

    Analysis by Daniel Radu

    Last update 16 June 2010

     

    TOP