TrojanDownloader:Win32/Renos.FOÂ is a detection for a trojan that connects to certain websites and downloads other unwanted software and malware, such as
Trojan:Win32/FakeSecSen,
Trojan:Win32/Bohmini,
Trojan:Win32/FakeXPA and other
Win32/Renos components. These programs typically present erroneous warnings claiming the system is infected with spyware and offer to remove the alleged spyware for a fee. In some cases, the programs may also cause system instability.
Installation
TrojanDownloader:Win32/Renos.FO may be downloaded and executed by other malware. In one example, this malware is retrieved from the IP address 78.157.143.164 as a file named "video1441.cfg".
Â
When executed, Win32/Renos.FO may inject code into the Windows shell EXPLORER.EXE in order to download other malware. The registry is modified to execute Win32/Renos.FO at each Windows start.
Â
Adds value:Â "MSFox"
With data:Â "<path and filename of TrojanDownloader:Win32/Renos.FO>"
To subkey:Â HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Â
Payload
Downloads Other Malware
The malware connects to internet and downloads several components. Win32/Renos.FOÂ registers the infected computer by sending POST requests to various web addresses. Some of the requests mimic some of the requests made by valid Windows Update components.
Â
The form of URL POST requests is the following:
Â
../windowsupdate/v6/shared/images/mu_getstarted-part1bottom_ltr.gif
Â
At the time of this writing, the malware sends the request to the IP address 193.142.244.82 or 193.142.244.55, both of which are registered to the same company listed as being in Lithuania.
Â
Win32/Renos.FO downloads three executables into the %TEMP% folder as in the following examples:
Â
%TEMP%\~tmpa.exe - TrojanDownloader:Win32/Renos.DY
%TEMP%\~tmpb.exe - TrojanDownloader:Win32/Renos.DZ
Â
The downloaded malware is then executed. Win32/Renos.DZ modifies the registry execute itself at each Windows start.
Â
Adds value: "Cognac"
With data:Â "~tmpb.exe"
To subkey:Â HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Â
Installs BHO
TrojanDownloader:Win32/Renos.DY drops a DLL component into the Windows system folder:
Â
<system folder>\msxml71.dll - TrojanDownloader:Win32/Renos.FQ
Â
Renos.DY modifies the registry to run this dropped DLL component as a Web browser helper object (BHO).
Â
Adds value: "(default)"Â Â Â
With data: "xml class"Â Â Â
To subkey: HKLM\SOFTWARE\Classes\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}
Â
Adds value: "(default)"Â Â Â
With data: "<system folder>\msxml71.dll"Â Â Â
To subkey: HKLM\SOFTWARE\Classes\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\InprocServer32
Â
Adds value: "(default)"Â Â Â
With data: "xml.xml.1"Â Â Â
To subkey: HKLM\SOFTWARE\Classes\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ProgID
Â
Adds value: "(default)"Â Â Â
With data: "{9233c3c0-1472-4091-a505-5580a23bb4ac}"Â Â Â
To subkey: HKLM\SOFTWARE\Classes\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\TypeLib
Â
Adds value: "(default)"Â Â Â
With data: "xml.xml"Â Â Â
To subkey: HKLM\SOFTWARE\Classes\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\VersionIndependentProgID
Â
Adds value: "(default)"Â Â Â
With data: "xml class"Â Â Â
To subkey: HKLM\SOFTWARE\Classes\XML.XML
Â
Adds value: "(default)"Â Â Â
With data: "{500bca15-57a7-4eaf-8143-8c619470b13d}"Â Â Â
To subkey: HKLM\SOFTWARE\Classes\XML.XML\CLSID
Â
Adds value: "(default)"Â Â Â
With data: "xml.xml.1"Â Â Â
To subkey: HKLM\SOFTWARE\Classes\XML.XML\CurVer
Â
Adds value: "(default)"Â Â Â
With data: "xml class"Â Â Â
To subkey: HKLM\SOFTWARE\Classes\XML.XML.1
Â
Adds value: "(default)"Â Â Â
With data: "{500bca15-57a7-4eaf-8143-8c619470b13d}"Â Â Â
To subkey: HKLM\SOFTWARE\Classes\XML.XML.1\CLSID
Â
Adds value: "(default)"Â Â Â
With data: "xml library"Â Â Â
To subkey: HKLM\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}\1.0
Â
Adds value: "(default)"Â Â Â
With data: "xml module"Â Â Â
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500BCA15-57A7-4eaf-8143-8C619470B13D}
Â
Displays Alerts
As a visual indication of the infection the following pop-up message is displayed near the system traybox
(You Have a security problem!)
Â
Clicking on the above message will trigger countless warning messages as in the following examples:
Â
Â
Â
Â
Â
The alerts are an attempt to convince the user to take action and install and execute rogue security software. In the background, a scan appears to run however it is only an "animation" intended to mimic a real AntiSpyware product. Upon finishing a final screen (a picture) informs the user their computer is infected. Clicking anywhere on the message will trigger the download and installation of the rogue product:
Â
Â
Â
Â
Â
The malware is persistent as the user will be continuously nagged with various messages/alerts and the user experience will be dramatically lowered. Downloaded components are occasionally unstable causing numerous system crashes.
Â
Generates Traffic
The malware also generates a lot of internet traffic to various sites and IP addresses including the following:
Â
hs.2-116.zlkon.lv
simonsearch.com
looksmart.com
marchex.com
dexknows.com
localmatters.com
Â
Â
Analysis by Dan Nicolescu
