Follow:

 

TrojanDownloader:Win32/Renos.LT


TrojanDownloader:Win32/Renos.LT is a generic detection for a family of trojans that connect to certain websites in order to download arbitrary files. This may include other TrojanDownloader:Win32/Renos components, and rogue antivirus software such as Trojan:Win32/FakeSecSen or Trojan:Win32/FakeXPA.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

TrojanDownloader:Win32/Renos.LT is a generic detection for a family of trojans that connect to certain websites in order to download arbitrary files. This may include other TrojanDownloader:Win32/Renos components, and rogue antivirus software such as Trojan:Win32/FakeSecSen or Trojan:Win32/FakeXPA.
 
TrojanDownloader:Win32/Renos.LT may be distributed in the wild masquerading as a video codec. For an example, please see the image below:
It has also been observed being downloaded to affected machines after users are prompted by fake online security scanners. See below for examples of this method of distribution being utilized in the wild:
 
 
 
 
Installation
When executed, TrojanDownloader:Win32/Renos.LT runs from its original location and modifies the registry to run the trojan downloader at each Windows start (for example):
 
Adds value: "MSFox" (or "Cognac")
With data: "<full pathname of Win32/Renos.LT>"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
 
Additional registry modifications are made similar to the following example:
 
Adds value: Str<digit>
With data: <base64 encoded string> (for example, "x6tveq8ngbtmpknqirnnqauudxwx")
To subkey: HKLM\Software\Mozilla\MSFox
 
Note: These registry modifications may vary according to minor variant and the values listed may be different from those given in these examples.
Payload
Downloads and Executes Arbitrary Files
Once installed, the trojan may connect to one of a number of remote Web servers from which it may download and execute other files. In the wild, we have observed servers at the following locations being contacted in this manner by TrojanDownloader:Win32/Renos.LT:
 
image-big-library.com
22.250.166.222
167.156.220.15
erabl-pict.com
imagerepository.com
images-base.com
the-exefiles.com
freeexefiles.com
exefileformat.com
newexefile.com
 
Files downloaded may include other TrojanDownloader:Win32/Renos components, and rogue antivirus software such as Trojan:Win32/FakeSecSen or Trojan:Win32/FakeXPA. TrojanDownloader:Win32/Renos.LT has also been observed downloading files and other content associated with advertising and browser redirection.
 
TrojanDownloader:Win32/Renos may post system information to the remote server before downloading files. The downloaded malware is generally saved to the %temp% directory, using filenames such as "~tmpa.exe".
 
Analysis by Hamish O'Dea

Symptoms

System Changes
The following system changes may indicate the presence of this malware:
  • The presence of the following registry modifications (or similar):
    Value: MSFox
    With data: <full pathname of Win32/Renos.LT>
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    Value: Str<digit>
    With data: <base64 encoded string> (for example, "x6tveq8ngbtmpknqirnnqauudxwx")
    In subkey: HKLM\Software\Mozilla\MSFox

Prevention


Alert level: Severe
First detected by definition: 1.83.491.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: May 25, 2010
This entry was first published on: May 28, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
No known aliases