TrojanDownloader:Win32/Renos.EN is a trojan that connects to certain websites in order to download other malware. This may include other TrojanDownloader:Win32/Renos components, and rogue antivirus software such as
Trojan:Win32/FakeSecSen or
Trojan:Win32/FakeXPA.
Installation
When executed, TrojanDownloader:Win32/Renos.EN runs from its original location, and creates a registry entry to ensure that it runs on system startup:
Ā
Under key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: MSFox
With data: <full pathname of malware>
Ā
It also creates a number of registry entries similar to the following example:
Ā
Under key: HKLM\Software\Mozilla\MSFox
Adds values: Str<digit>
With data: <base64 encoded string> (for example, "zbZdFr5/CbjyPkNQIrNnqAuuDXWXEv+yhwYIMvYIWoHwgiUTaU8Jbx==")
Payload
Downloads and Executes Arbitrary Malware
Once installed, the trojan may connect to one of a number of servers, from which it may download and execute other malware. This may include other TrojanDownloader:Win32/Renos components, and rogue antivirus software such as
Trojan:Win32/FakeSecSen or
Trojan:Win32/FakeXPA.
Ā
These servers may include the following:
- image-big-library.com
- pictures-library.com
- images-library.com
- bigimagecatalogue.com
- picturesbase.com
- pictures-base.com
- 192.236.93.122
- 25.26.55.250
- 92.205.167.161
Ā
With some of these servers, it may post some system information to the server before downloading the malware, while with others itĀ simply downloads the malware without posting any information.
Ā
The downloaded malware is generally saved to the %temp% directory, using filenames such as ~tmpa.exe.
Ā
The following example shows one variant of the malware downloading another Win32/Renos component, which at the time of publication led to the downloading and installation of Trojan:Win32/FakeXPA. Note that malware from different rogue antivirus families (such as Trojan:Win32/FakeSecSen) may be downloaded by different TrojanDownloader:Win32/Renos.EN variants, or at different times. The method in which the malware is installed may also differ.
Ā
Example Downloading Payload Scenario
The malware first downloads a further TrojanDownloader:Win32/Renos component, which places an icon in the system tray. This component will not run unless the original malware is also present. It periodically displays a balloon indicating a security problem:
Ā
Ā
Ā
If this balloon is ignored, the followingĀ message is eventuallyĀ displayed:
Ā
Ā
Should the user click the balloon orĀ the Yes button of the dialogue box, a number of web pages are downloaded, which display a few more dialogue boxes before simulating a web-based antivirus scanner in the userās browser.
Ā
The browser may appear similar to that shown in the exampleĀ below during the simulated scanning process. Regardless of whether there is any other malware on the system, it will report a number of possible threats.
Ā
Ā
Once the scanning process has finished,Ā a page is displayed that may appear similar to the following example:
Ā
Regardless of whether the user clicks the āRemove Allā or āIgnoreā buttons, the malwareĀ downloads and installs Trojan:Win32/FakeXPA. If the user attempts to dismiss the window using the red X, the following dialogue boxes are displayed before the malware is downloaded:
Ā
Ā
Ā
Ā
The rogue antivirus software is then launched. For more details, please see the
Trojan:Win32/FakeXPA description.
Ā
Analysis by David Wood
