Home / malwarePDF  

TrojanDownloader:Win32/Renos.DZ


First posted on 04 February 2009.
Source: SecurityHome

Aliases :

There are no other names known for TrojanDownloader:Win32/Renos.DZ.

Explanation :

TrojanDownloader:Win32/Renos.DZ is a detection for a trojan that connects to certain websites and downloads other potentially unwanted software and malware, such as Trojan:Win32/FakeSecSen, Trojan:Win32/Bohmini, Trojan:Win32/FakeXPA and other Win32/Renos components.

Symptoms
There are no obvious symptoms that indicate the presence of this malware on an affected machine.

TrojanDownloader:Win32/Renos.DZ is a detection for a trojan that connects to certain websites and downloads other potentially unwanted software and malware, such as Trojan:Win32/FakeSecSen, Trojan:Win32/Bohmini, Trojan:Win32/FakeXPA and other Win32/Renos components.

Installation
When executed, TrojanDownloader:Win32/Renos.DZ copies itself with a randomly generated file name generally to the %Temp% directory of the affected system. It then modifies the registry so that this file runs at every Windows start: Adds value: "Somefox"
With data: "<malware executable>.exe"
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun
or
Adds value: "MSFox"
With data: "<malware executable>.exe"
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun It also makes the following registry modifications during installation: Adds value: Str<digit>
With data: <base64 encoded string> (for example, "x6tveq8ngbtmpknqirnnqauudxwx")
To subkey: HKLMSoftwareMozillaMSFox
or
Adds value: "Str<digit>"
With data:"<base64 encoded string>" (for example, "x6tveq8ngbtmpknqirnnqauudxwx")
To subkey: HKLMSOFTWAREMozillaSomefox

Payload
Downloads Other Malware
TrojanDownloader:Win32/Renos.DZ attempts to connect to certain remote servers to download other files. This variant has been observed downloading Trojan:Win32/FakeSecSen, Trojan:Win32/Bohmini, Trojan:Win32/FakeXPA and other Win32/Renos components. These Renos variants have been observed contacting or downloading from servers in the following list of locations, although this varies from minor variant to minor variant.

167.156.220.15
167.156.220.5
193.142.244.17
193.142.244.39
22.250.166.196
22.250.166.209
22.250.166.222
89.149.252.154
bigimagecatalogue.com
erabl-pict.com
image-big-library.com
img-library.com
lyox-lib.com
softupdat.com In some cases, Renos may post system information to the server before downloading, while in others it simply downloads the malware without any initial communication. The downloaded malware is generally saved to the %Temp% directory, using filenames such as "~tmpa.exe".

Last update 04 February 2009

 

TOP

Malware :

Family: