Worm:Win32/Renocide.gen!A is a detection for a worm that exhibits backdoor behavior and attempts to download additional files from remote servers. It spreads via removable drives and network shares.
Installation
Worm:Win32/Renocide.gen!A may drop the following files in the Windows system folder:
- <system folder>\csrcs.exe - copy of itself
- <system folder>\autorun.inf - initialization file used in its propagation routine (see below)
- <system folder>\cftmem.exe - also detected as Worm:Win32/Renocide.gen!A
- <system folder>\cftm.exe - also detected as Worm:Win32/Renocide.gen!A
- %TEMP%\suicide.bat - batch file designed to delete this worm's currently-running copy; detected as Trojan:BAT/Renocide.A
- %TEMP%\<random 7 letters> - encrypted configuration file also detected as Worm:Win32/Renocide.gen!A
- %SystemDrive%\khq
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It modifies the system registry so that it automatically runs every time Windows starts:
Adds value: "csrcs"
With data: "<system folder>\csrcs.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Adds value: "Shell"
With data: "explorer.exe csrcs.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
It stores malware-specific settings under the following registry key:
HKLM\Software\Microsoft\DRM\amty
Spreads Via...
Removable Drives
Worm:Win32/Renocide.gen!A spreads by dropping copies of itself in all removable drives, possibly using a random file name. Its dropped file autorun.inf is copied to all removable drives to enable its dropped copy to automatically run when the removable drive is accessed and if Autoplay is enabled.
Network Shares
Win32/Renocide.gen!A also spreads by scanning IP addresses based on the infected machine's IP address and looking for writeable shares. It then drops a copy of itself as well as a copy of the autorun.inf file.
Payload
Modifies System Settings
Worm:Win32/Renocide.gen!A performs the following system setting changes via the registry:
- Modifies how the system handles files with the Hidden attribute:
Adds value: "Hidden"
With data: "2"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Adds value: "CheckedValue"
With data: "1"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
- Attempts to bypass Windows Firewall:
Adds value: "<malware file name>"
With data: "<malware file name>:*:Enabled:Windows Life Messenger"
To subkey: HKLM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Terminates Security Process
Worm:Win32/Renocide.gen!A attempts to terminate the process TeaTime.exe, which belongs to the "Spybot - Search & Destroy" security application.
Downloads Arbitrary Files
Worm:Win32/Renocide.gen!A may download files from the following domains:
- sousi.extasix.com
- ZkArMy.dip.jp
- lemox.myhome.cx
Connects to Remote Server via IRC
Worm:Win32/Renocide.gen!A may connect to a specific remote server using IRC and act as a bot. It may receive and run commands from an attacker and download other files, which may be malware.
Attempts to Resolve External IP Address
Renocide.gen!A also attempts to get the external IP address of the infected machine by issuing requests to whatismyip.com and/or checkip.dyndns.org.
Analysis by Marian Radu