TrojanDownloader:Win32/Renos.gen!F is a generic detection for certain variants of TrojanDownloader:Win32/Renos, a family of trojan downloaders that automatically download unwanted software such as SpySheriff, SpyAxe, SpyFalcon, SpyDawn, SpywareStrike, and other similarly named programs. These programs typically present erroneous warnings claiming the system is infected with spyware and offer to remove the alleged spyware for a fee. In some cases, the programs may also cause system instability.
Installation
TrojanDownloader:Win32/Renos.gen!F is installed by other malicious software or trojan dropper. If an installer or dropper for this trojan downloader is executed, it may drop the following files:
where ??? is from one to three random characters.
The registry may be modified to execute dropped files at each Windows start. The following registry modifications may also be made:
Adds value: "{ceca6f2b-247b-4ece-9b7a-d0135c8036fc}"
To subkey: HKEY_LOCAL_MACHINE\Software\Classes\CLSID
Adds value: "Windows Safety Alert"
To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall
Adds value: "{ceca6f2b-247b-4ece-9b7a-d0135c8036fc}"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
Payload
Displays Deceptive Messages
TrojanDownloader:Win32/Renos.gen!F may display deceptive messages suggesting that the computer is infected with spyware, as can be seen in the following example:
The icon may quickly switch between these two icons in an attempt to gain users' attention:
If the balloon or icon is clicked, TrojanDownloader:Win32/Renos.gen!F may start Internet Explorer and open a rogue security software program's web page.
Analysis by Aaron Hulett