Home / malwarePDF  

TrojanDownloader:Win32/Renos.BAO


First posted on 01 May 2009.
Source: SecurityHome

Aliases :

TrojanDownloader:Win32/Renos.BAO is also known as Also Known As:Win-Trojan/Fraudlo.546304 (AhnLab), not-a-virus:FraudTool.Win32.AntivirusPlus.am (Kaspersky), W32/FakeAV.HSY (Norman), Mal/FakeAV-AA (Sophos), Win32/Adware.AntivirusPlus (ESET).

Explanation :

TrojanDownloader:Win32/Renos.BAO is a trojan that can download and execute arbitrary files. It has been observed in the wild downloading rouge security software such as members of the Trojan:Win32/FakePlus and Win32/Paduds families.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following files:
    %windir%system
    undll32.exe
    <system folder>internetexplorer.dll
    %program_files%antivirus plusAntivirusPlus.exe
    %windir%systemdop.exe
  • The display of the following messages:




    • TrojanDownloader:Win32/Renos.BAO is a trojan that can download and execute arbitrary files. It has been observed in the wild downloading rouge security software such as members of the Trojan:Win32/FakePlus and Win32/Paduds families.

    Installation
    When executed TrojanDownloader:Win32/Renos.BAO displays a dialog for a short period of time, and then proceeds to download and execute files. Please see below for examples of the dialog that may be displayed:

    Payload
    Downloads and Executes Arbitrary FilesWin32/Renos.BAO connects to a remote host to download and execute files. In the wild, Win32/Renos.BAO has been observed contacting the following domains in order to download files:
  • myantivirusplus.com
  • plus-antivirus.com
  • antivirusplus2009.net
  • yourcountedantivirus.com
    • The downloaded files are saved to the following locations and executed:
  • %windir%system
    undll32.exe
  • <system folder>internetexplorer.dll
  • %program_files%antivirus plusAntivirusPlus.exe
  • %windir%systemdop.exe

    • Modifies System Security SettingsWin32/Renos.BAO alters the Windows firewall configuration to add "rundll32.exe" to the list of authorized applications, in order to avoid being filtered by the firewall.

    Analysis by Ray Roberts

    Last update 01 May 2009

     

    TOP

    Malware :

    Family: