Threat behavior
TrojanDownloader:Win32/Renos.B has two components: an installation program and a DLL. The installation program contains the code for the DLL module. When the installation program runs, it checks for the presence of a certain DLL in the Windows system folder. If the DLL is already present in the Windows system folder, the installation program terminates. Otherwise, the installation program takes the following actions:
Drops its DLL code to the Windows system folder. The dropped DLL may have a name such as:
higehsg.dll
nbbrhbd.dll
tahxqcj.dll
Note: The default location of the Windows system folder is C:\Windows\System32 on Windows XP/Server 2003/Vista and C:\Winnt\System32 on Windows NT/2000.
Modifies the registry as follows:
-
Creates value name: eitheror
with data: <GUID such as "{2016a466-91A2-43C6-97D8-2FD380F065EF}">
in registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\<GUID such as "{2016a466-91A2-43C6-97D8-2FD380F065EF}">
-
Sets value name: default
with data: <path to dropped DLL>
and sets value name: ThreadingModel
with data: Apartment
in registry subkey:
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\<CSLID such as "{2016a466-91A2-43C6-97D8-2FD380F065EF}">\InProcServer32
-
Sets value name: DisplayName
with data: System Alert Popup
and sets value name: UninstallString
with data: <path to TrojanDownloader:Win32/Renos.C installation program>
in registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\SystemAlert Popup
Executes the dropped DLL by running the following command:
rundll32.exe <path to dropped DLL>, <name of function exported by DLL>
For example, it might run a command such as the following:
rundll32.exe C:\Windows\System32\higehsg.dll, windows
(In the preceding example, "windows" is the name of a function that is exported by the DLL.)
When the DLL runs, it checks for the presence of unwanted software named SpyDawn by searching for registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyDawn
If the subkey is present, the DLL may perform the following operations:
-
Download a new instance of SpyDawn from a specific Web site, saving the file to the Windows temporary folder or the current user's temporary folder. The DLL saves the file with a name that begins with "av", for example, av2.exe. The file is a self-extracting archive.
-
Silently run the downloaded file.
-
Delete the downloaded file after it runs successfully.
If the subkey is not present, the DLL may perform the following operations:
-
Download SpyDawn, SpySheriff, or other unwanted software from a certain Web site.
-
Display a message such as the following:
"System alert! System has detected a number of active spyware applications that may impact the performance of your computer. Click the icon to get rid of unwanted spyware by downloading an up-to-date antispyware solutions.”
-
Display a blinking red icon in the system tray.
-
Install a browser helper object (BHO) in order to add a toolbar in Internet Explorer.
-
Check for the presence of the following registry subkey when the user clicks the alert message, toolbar, or red icon:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\SpywareLocked
-
If the subkey exists, the DLL runs the file specified in the data in value name "DisplayIcon" under that subkey.
-
If the subkey does not exist, the DLL opens Internet Explorer to a certain Web site advertising unwanted software such as SpyLocked or SpySheriff.
Prevention