Skip to main content
Skip to main content
Microsoft Security Intelligence
Cart 0 items in shopping cart
Sign in
Published Mar 31, 2009 | Updated Sep 15, 2017

TrojanDownloader:Win32/Renos.HL

Detected by Microsoft Defender Antivirus

Aliases: Pro Antispyware 2009 (other) MS AntiSpyware 2009 (other) W32/DLoader.NYHM (Norman) Mal/FakeAV-AH (Sophos) Win32/Adware.MSAntispyware2009 (ESET) Downloader.MisleadApp (Symantec) Trojan.Fakeavalert (Symantec) Trojan-Downloader.Win32.FraudLoad.dzd (Kaspersky) Generic Downloader.x (McAfee)

Summary

Trojan:Win32/Renos.HL is an installer that connects to specified websites to download and install a fake antivirus scanner. This scanner is detected as Trojan:Win32/WinSpywareProtect.
 
Note  6th April 2009: We have received reports that TrojanDownloader:Win32/Renos.HL has been distributed attached to an email that masquerades as a message from Microsoft. The message reads as follows:
 
From: Microsoft Computer Safety Department
Subject (or similar): Microsoft Alert (Case#: wlTR6Zm)
 
Dear Windows User,
Starting April 1st, 2009 the "Comficker" virus began infecting Microsoft customers very quickly.
Microsoft was alerted by your Internet provider that your computer is showing signs of being infected.
To prevent further infection we recommend removing the infection using an antivirus program
We are giving all effected Microsoft customers a free antispyware scan in order to remove any infections from their system.
Please visit the Microsoft Windows System Security Scanner website by clicking here to start scanning your computer.
The process takes under a minute and will prevent your information from being stolen.
We appreciate your cooperation in this matter.
 
Regards
Microsoft Windows Representative #10(Willa)
Windows Net Security Division
Email Ref ID: g9BK0f
 
This email was not sent by Microsoft and is an attempt to use the current interest and concern over Win32/Conficker in order to persuade users to download and install arbitrary files of the attacker's choice - in this case, Trojan:Win32/Renos.HL and in turn Trojan:Win32/WinSpywareProtect.
Additional information on how to help verify the legitimacy of a Microsoft e-mail can be found here:
Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.
Follow us