Threat behavior
Renos is a family of Trojans that displays messages reporting that the user's current security software is malfunctioning and that new security software should be downloaded. The message is false and misleading, and it is intended to encourage users into downloading and/or purchasing third-party software.
This variant may download unwanted programs identified as Program:Win32/SpySheriff, also known as 'MalwareAlarm'.
Installation
When executed, this Trojan installs itself by first copying itself as 'xpupdate.exe' into the Windows folder. It then modifies the registry to run this copy at each Windows start:
Adds value: "Windows update loader"
With data: "%WinDir%\xpupdate.exe"
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Payload
This Trojan intentionally displays misleading information, or falsified reports suggesting that the affected computer contains malware. This Trojan variant may download, or provide a link to download unwanted programs. This additional program may be identified as Program:Win32/SpySheriff, also known as 'MalwareAlarm'.
Renos.gen!I uses an HTTP GET request to retrieve programs from either 'download.malwarealarm.com' or a fixed IP address.
Additional Information
This Trojan variant may add a link in the Windows Control Panel applet 'Add or Remove Programs' to itself, named "MalwareAlarm".
Prevention