Worm:Win32/Renocide.T is a detection for a worm that spreads itself to removable drives and network shares; it also downloads additional files from a remote server.
Installation
Worm:Win32/Renocide.T copies itself as csrcs.exe (with 'hidden', 'system' and 'read-only' attributes) under <system folder>, and modifies following registry entries to make the copied file run with Windows start:
Adds value: "csrcs"
With data: "<system folder>\csrcs.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Adds value: "Shell"
With data: "explorer.exe csrcs.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Worm:Win32/Renocide.T drops a batch file as sucide.bat under the %TEMP% folder, and launches it to delete any current running instance of Worm:Win32/Renocide.T after it exits.
Note: %TEMP% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Temp folder for Windows 2000 and NT is C:\DOCUME~1\<user>\LOCALS~1\Temp; and for XP, Vista, and 7 is C:\Users\<user name>\AppData\Local\Temp.
Worm:Win32/Renocide.T modifies the following registry entries to make the copied file invisible in Windows Explorer:
Adds value: "Hidden"
With data: "2"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Adds value: "CheckedValue"
With data: "1"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
Spreads via…
Removable drives
Worm:Win32/Renocide.T spreads itself by copying autorun.inf and itself into the root of removable drives and network shares; the dropped executable file name is random, for example, hzjygo.exe.
Worm:Win32/Renocide.T drops an obfuscated autorun.inf file under <system folder> which will be copied to the root of removable drives and network shares when the worm spreads itself.
Payload
Connects to remote server
Worm:Win32/Renocide.T tries to connect to www.whatismyop.com to get the affected computer's IP address.
Worm:Win32/Renocide.T tries to connect to remote server to report infection and download additional files. One observed example is mouni.orz.hm (The page it tries to access is not available when did the analysis).
Analysis by Shawn Wang
