Threat behavior
TrojanDownloader:Win32/Renos.C has two components: an installation program and a DLL. The installation program contains the code for the DLL module. When the installation program runs, it checks for the presence of a certain DLL in the Windows system folder. If the DLL is already present in the Windows system folder, the installation program terminates. Otherwise, the installation program takes the following actions:
Drops its DLL code to the Windows system folder. The dropped DLL may have a name such as:
higehsg.dll
nbbrhbd.dll
tahxqcj.dll
Note: The default location of the Windows system folder is C:\Windows\System32 on Windows XP/Server 2003/Vista and C:\Winnt\System32 on Windows NT/2000.
Modifies the registry as follows:
Creates value name: eitheror
with data: <GUID such as "{2016a466-91A2-43C6-97D8-2FD380F065EF}">
in registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\<GUID such as "{2016a466-91A2-43C6-97D8-2FD380F065EF}">
Sets value name: default
with data: <path to dropped DLL>
and sets value name: ThreadingModel
with data: Apartment
in registry subkey:
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\<CSLID such as "{2016a466-91A2-43C6-97D8-2FD380F065EF}">\InProcServer32
Sets value name: DisplayName
with data: System Alert Popup
and sets value name: UninstallString
with data: <path to TrojanDownloader:Win32/Renos.C installation program>
in registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\SystemAlert Popup
Executes the dropped DLL by running the following command:
rundll32.exe <path to dropped DLL>, <name of function exported by DLL>
For example, it might run a command such as the following:
rundll32.exe C:\Windows\System32\higehsg.dll, windows
(In the preceding example, "windows" is the name of a function that is exported by the DLL.)
When the DLL runs, it checks for the presence of unwanted software named SpyDawn by searching for registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyDawn
If the subkey is present, the DLL may perform the following operations:
Download a new instance of SpyDawn from a specific Web site, saving the file to the Windows temporary folder or the current user's temporary folder. The DLL saves the file with a name that begins with "av", for example, av2.exe. The file is a self-extracting archive.
Silently run the downloaded file.
Delete the downloaded file after it runs successfully.
If the subkey is not present, the DLL may perform the following operations:
Download SpyDawn, SpySheriff, or other unwanted software from a certain Web site.
Display a message such as the following:
"System alert! System has detected a number of active spyware applications that may impact the performance of your computer. Click the icon to get rid of unwanted spyware by downloading an up-to-date antispyware solutions.”
Display a blinking red icon in the system tray.
Install a browser helper object (BHO) in order to add a toolbar in Internet Explorer.
Check for the presence of the following registry subkey when the user clicks the alert message, toolbar, or red icon:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\SpywareLocked
If the subkey exists, the DLL runs the file specified in the data in value name "DisplayIcon" under that subkey.
If the subkey does not exist, the DLL opens Internet Explorer to a certain Web site advertising unwanted software such as SpyLocked or SpySheriff.
Prevention