TrojanDownloader:Win32/Renos.CO is a variant of Win32/Renos, a family of trojan downloaders that automatically download unwanted software such as SpySheriff, SpyAxe, SpyFalcon, SpyDawn, SpywareStrike, and other similarly named programs. These programs typically present erroneous warnings claiming the system is infected with spyware and offer to remove the alleged spyware for a fee. In some cases, the programs may also cause system instability.
Installation
When TrojanDownloader:Win32/Renos.CO is executed, it drops its DLL component "ofcpi.dll" to the Windows system folder. It then makes a number of registry modifications in order to load the dll:
Adds value: (default)
With data: "<system folder>\ofcpi.dll"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{7265100a-17e1-41bf-bd08-63b95a25a9c3}\InProcServer32
Adds value: {7265100a-17e1-41bf-bd08-63b95a25a9c3}
With data: "cured"
To subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
Adds value: "Windows Safety Alert"
To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall
Adds value: "DisplayName"
With data: "windows safety alert"
To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert\
Lastly, the malware loads the dropped DLL by running the following command:
rundll32.exe <system folder>\ofcpi.dll,windows
Payload
Downloads unwanted Software
Win32/Renos.CO may attempt to connect to a Web site named 'amigobore.com' and download and install a rogue security program named "VirusProtect". The retrieved file may be named 'br1.exe' or 'vrp_setup.exe', and is downloaded from the domain dl1.virprotect.com.
Additional Information
Win32/Renos.CO may display deceptive and false alerts that claim that the computer is infected. The warning encourages the user to download certain software that allegedly provides malware or spyware protection. This trojan may also drop a file "br1.exe" or "vrp_setup.exe" into the %Temp% folder prior to running it. After the dropped file is executed, it may result in an icon appearing in the system tray, similar to the one shown below.