This is a Visual Basic trojan-downloader that downloads and executes a Renos variant, software that shows fake security warnings that can be quite annoying. The aim of this software is to trick the computer user into downloading third-party "cleaning utilities", usually anti-spyware scanners or Rogue antispyware.

Once executed, it downloads and creates these files:

• %windir%system32msorcl32.exe
• %windir%system32wmvds32.dll

Detected as Trojan-Downloader.Win32.VB.asx, wmvds32.dll is loaded in other processes and this ensures that an updated copy of Renos, msorcl32.exe, detected as Hoax.Win32.Renos.fn, is downloaded to the infected machine.

Last update 20 June 2007

 

TOP