Worm:Win32/Renocide.gen!C is the detection for a worm that spreads via removable drives and mapped network shares. It attempts to download additional files from a remote server.
Installation
Worm:Win32/Renocide.gen!C copies itself in the Windows system folder using a system-sounding file name, such as the following:
- csrcs.exe - similar to the legitimate system file 'csrss.exe'
- ctfnom.exe - similar to the legitimate system file 'ctfmon.exe'
It then modifies the system registry so that its copy automatically runs every time Windows starts by creating or modifying entries in the following subkeys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
For example:
Adds value: "csrcs"
With data: ""<system folder>\csrcs.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Modifies value: "Shell"
From data: "explorer.exe"
To data: "explorer.exe csrcs.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
It also creates the following registry entry as part of its installation routine:
Adds value: "ilop"
With data: "1"
To subkey: HKLM\Software\Microsoft\DRM\amty
It drops a script file, which may be called 's.cmd' or 'suicide.bat'. This file attempts to delete the currently-running worm file once it has finished its malicious routine, and is detected as
TrojanDropper:AutoIT/Agent.A!bat.
Spreads via...
Removable and mapped drives
Worm:Win32/Renocide.gen!C attempts to spread by dropping a copy of itself to removable drives and mapped network shares. Its dropps file names may vary. It also drops a file named 'autorun.inf' that is designed to automatically run its copy in the drive if the drive is accessed and AutoRun is enabled.
Payload
Modifies system settings
Worm:Win32/Renocide.gen!C changes how Windows Explorer displays hidden files:
Adds value: "Hidden"
With data: "2"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Adds value: "CheckedValue"
With data: "1"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
Downloads files
Worm:Win32/Renocide.gen!C attempts to download files from remote servers. The servers it attempts to connect to may vary. The downloaded files may contain additional malicious routines for this worm to conduct on the infected system.
Analysis by Huzefa Mogri