Win32/Renocide is a family of worms that spread via local, removable, and network drives and also using file sharing applications. They have IRC-based backdoor functionality, which may allow a remote attacker to execute commands on the affected computer.
Installation
When run, Worm:Win32/Renocide creates a copy of itself using various file names. Some of the file names it has been known to use are:
- <system folder>\alokium.exe
- <system folder>\cftm.exe
- <system folder>\cftmem.exe
- <system folder>\csrcs.exe
- <system folder>\ctfn.exe
- <system folder>\ctfnom.exe
- <system folder>\ctfnon.exe
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
It executes its copy and deletes itself using a batch file that it drops. The batch file may have one of the following file names:
- %Temp%\s.bat
- %Temp%\suicide.bat
Worm:Win32/Renocide also creates the following files:
It also creates the following registry entries so that it automatically runs every time Windows starts:
In subkeys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Sets value: "csrcs"
With data: "<system folder>\csrcs.exe"
or
Sets value: "ctfmam"
With data: "<system folder>\cftmem.exe"
or
Sets value: "ctfnom"
With data: "<system folder>\ctfnom.exe"
or
Sets value: "ctfn"
With data: "<system folder>\ctfn.exe"
or
Sets value: "ctfm"
With data: "<system folder>\ctfm.exe"
or
Sets value: "ctfmom"
With data: "<system folder>\ctfnom.exe"
It also modifies the configuration data for the Winlogon service so that it automatically runs when "explorer.exe" runs:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "explorer.exe <malware name>"
It also stores its configuration data in the registry:
In subkey: HKLM\Software\Microsoft\DRM\amty
Sets value: "a"
With data: "1" or "0" depending on whether it is able to spread via USB (see the IRC command "UsbSpread")
Sets value: "b"
With data: "1" or "0" depending on the state of the netbios scanner (see the IRC command "netbios")
Sets value: "bn"
With data: "<time>", where <time> is the netbios scanning time, written in encrypted form (see the IRC command "netbios")
Sets value: "dreg"
With data: "<year>", where <year> is the year of infection, written in encrypted form
Sets value: "eggol"
With data: "1" or "0" depending on the state of the logger (see the IRC command "logger")
Sets value: "exp1"
Sets value: "fix"
With data: "<label>", where <label> is the label of the fixed drive from where the malware is running from
Sets value: "fix1"
With data: "1" if the malware is running on a fixed drive
Sets value: "ilop"
Sets value: "input"
With data: "<data>", where <data> is input data needed by a component of the malware (see the IRC command "plugin")
Sets value: "input2"
Sets value: "kin"
With data: "<IP address>", where <IP address> is the external IP of the host, written in encrypted format
Sets value: "kiu"
With data: "<country>", where <country> is the country of the host, written in encrypted format
Sets value: "output"
With data: "<data>", where <data> is generated by a component of the malware (see the IRC command "plugin")
Sets value: "regexp"
Sets value: "rem"
With data: "<label>", where <label> is the label of the removable drive from where the malware is running from
Sets value: "rem1"
With data: "1", if the malware is running on a removable drive
Sets value: "su"
With data: "<time>", where <time> is the USB infection time, written in encrypted format (see the IRC command "UsbSpread")
It may write other registry entries with various values. Depending on the variant of Win32/Renocide, the registry keys described above may vary in meaning and intended purpose.
Spreads via...
Local, removable, and network drives
Win32/Renocide infects local, removable, and network drives by placing the following files in the root of these drives:
- autorun.inf - designed to automatically run the malware copies when the drive is accessed and Autorun is enabled
- csrcs.exe - copy of itself
- alokium.exe - copy of itself
- <random name>.exe - copy of itself
- <marker file> - file used to indicate infection of the drive; the file has varying names and no extension, for example, "ecdf4"
It looks for network shares by scanning all IPs in the local subnet 255.255.255.0 or 255.255.0.0, depending on the variant and attacker commands.
File-sharing applications
Win32/Renocide checks if the following file-sharing programs are installed in the computer:
- Ares
- DC++
- Emule
- FrostWire
- Kazaa
- LimeWire
- Shareaza
It also checks if the archiving program WinRAR is installed in the computer. If not, it downloads a copy of the 7Zip archiving program, which it usually saves as the following:
- <system folder>\RegShellSM.exe
Win32/Renocide then creates archived copies of itself, which it places in the shared folders of the above file-sharing applications. The file names of the archives are created by getting the names of the top 100 downloaded game or program torrents from the following websites:
- thepiratebay.com
- isohunt.com
One of the following suffixes is then added to 50 random titles:
- .Crack
- .Activator
- .Keygen
- .Validator
- -Razor1911
- -RELOADED
- -KeyMaker
The file-sharing application's shared folder may look similar to the following:
Payload
Modifies computer settings
Files detected as Worm:Win32/Renocide modify some computer settings, such as the following:
- Modify firewall settings to bypass Windows Firewall:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "<system folder>\<malware name>"
With data: "<system folder>\<malware name>:*:enabled:ipsec"
- Some variants modify Security Center settings to disable antivirus notifications:
In subkey HKLM\SOFTWARE\Microsoft\Security Center\Svc
Sets Value: "AntiVirusOverride"
With data: "1"
- Some variants disable the LUA (Least Privileged User Account), also known as the "Administrator in Admin Approval Mode" user type:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "0"
Allows backdoor access and control
Win32/Renocide has IRC-based backdoor functionality, which may allow a remote attacker to execute commands on the affected computer. It may run the following commands:
4iplocales - get the IP address of up to four network adapters
Closewintitle - kill a process with a given Windows Title (exact match)
Cometerharakiri - remove itself
Configuration - get various information regarding the IRC connection, authentication, and infection stage
Country - get the geolocation of the computer (specifically the country)
Currentip - get the external IP of the computer
DisableIRC - terminate IRC connection, the reconnection flag is disabled
Dlplugin - download file
DlRegExec - download and execute file
Dos - execute a command using the command prompt
DriveInfo - list all of the computer's drives and their statuses
Fileattrib - get the attributes of a specific file
FileDelete - delete a specific file
Filelist - list the file from a given folder based on a specific filter
Filesize - get the size of a specific file
Filetime - get the Modifies/Created/Accessed timestamp of a specific file
Filevercion - get the version information of a given file
Getallwintitles - get the title of all windows
Getwintitles - get the title of all visible windows
Idletime - get the system's idle time
Ip - get the external IP address of the computer (similar with "Currentip", this is an alternate method)
IP? - get the external IP address of the computer
Ips - get all IP addresses of the computer, both external and internal
Join - join a specific IRC channel
Keepup - execute commands from hardcoded URLs
KillProcess - kills a specific process
Leave - leave the IRC channel
Logger - enable or disable logging of computer information
Msgsplit
Msnlifecontacts - list the files from %APPDATA%\Microsoft\Messenger based on a specific filter
Netbios - interact with the Netbios scanning plugin: enable or disable the scanner, start or stop a scan, get duration of scan
Netbioscopy - upload files to another network computer using Netbios
Nick - process IRC nick command
OsInfo - get the OS version, build, service pack, language information
Pcinfo - retrieve username and computername of the computer
Pclookup - command used by the attacker to look for another infected computer with a specific user name or computer name
Ping - emulate a ping command
Plugin - the attacker may upload an encrypted AutoIT script (using "Dlplugin") and use this command to compile, execute and send back its results
Process - check if a process is running
ProcessList - get a list of all running process names and their PIDs
Reconnect - terminate IRC connection; the reconnection flag remains enabled
Refreship - recompute the external IP address
Reg - add, delete, read, or edit specific registry keys
Regcleanharakiri - delete registry key with the malware configuration data (see the Installation section)
Regread - read from malware registry key config data; the registry value to be read is specified by the attacker
Regstartupspy - has 2 subcommands:
View - list all values stored in the following registry keys:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Runservices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Runservices
Delete - kill the security process "TeaTimer.exe", and delete an attacker-supplied registry value from the registry keys below :
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Runservices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Runservices
Setupirc - update the botnet connection details: sever IP address, server port, IRC channel, and so on
Shellexecute - execute a given file specified by the attacker
StringClosewintitle - kill all processes with window titles that match a specific pattern
Uptime - get system uptime
UsbSpread - interacts with the USB infection plugin: start or stop spreading via USB, get duration of drive infection
Userinfo - get user name and computer name of the computer (same as "Pcinfo")
Vercion - get malware version
Files detected as Worm:Win32/Renocide contain hardcoded URLs. Each of these URLs point to a plain text file with commands to be executed by the malware. These are the same commands that can be received through IRC but with different keywords.
Once the text file is downloaded, the commands are executed automatically.
The command keywords are not in human-readable form but instead use garbage-like keywords, for example, "M8Y77V69S8488S689O99Q" is the command to download a file from a given URL. The arguments to the commands are also encrypted.
Terminates process
Win32/Renocide terminates the security program "TeaTimer.exe".
Downloads other malware
Generates clicks for certain websites
Some variants of Win32/Renocide have a trojan click-jacking functionality. That is, some variants may click on links to certain websites.
Analysis by Marian Radu
