Threat behavior
TrojanDownloader:Win32/Renos.CJ is a variant of Win32/Renos, a family of trojan downloaders that automatically download unwanted software such as SpySheriff, SpyAxe, SpyFalcon, SpyDawn, SpywareStrike, and other similarly named programs. These programs typically present erroneous warnings claiming the system is infected with spyware and offer to remove the alleged spyware for a fee. In some cases, the programs may also cause system instability.
Installation
When executed, this trojan copies itself to the %Temp% directory with a randomly generated filename (for example 105802.exe), and modifies the registry to run this copy at each Windows start.
It displays a message with the following text:
"Warning! Spyware activity detected!
The results of the scan show traces of potentially dangerous spyware activity at your PC. Download and install our software now to protect your personal data from being lost or stolen!"
Payload
Downloads and Executes Arbitrary Files
After displaying its fake spyware warning message, it connects with the domain 'malwarecrush.com' and attempts to download unwanted software.
Prevention
