Follow:

 

TrojanDownloader:Win32/Renos.NL


TrojanDownloader:Win32/Renos.NL is a generic detection for a family of trojans that connect to certain websites in order to download arbitrary files. This may include Win32/Winwebsec and other TrojanDownloader:Win32/Renos components.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

TrojanDownloader:Win32/Renos.NL is a generic detection for a family of trojans that connect to certain websites in order to download arbitrary files. This may include Win32/Winwebsec and other TrojanDownloader:Win32/Renos components.
 
TrojanDownloader:Win32/Renos.NL may be distributed in the wild masquerading as a video codec. For an example, please see the image below:
It has also been observed being downloaded to affected machines after users are prompted by fake online security scanners. See below for examples of this method of distribution being utilized in the wild:
 
 
 
 
Installation
When executed, TrojanDownloader:Win32/Renos.NL runs from its original location and modifies the registry to run the trojan downloader at each Windows start (for example):
 
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "MSFox" (or "Cognac")
With data: "<full pathname of Win32/Renos.KNL>"
 
Additional registry modifications are made similar to the following example:
 
In subkey: HKLM\Software\Mozilla\MSFox
Sets value: Str<digit>
With data: <base64 encoded string> (for example, "x6tveq8ngbtmpknqirnnqauudxwx")
 
Note: These registry modifications may vary according to minor variant and the values listed may be different from those given in these examples.
Payload
Downloads and executes arbitrary files
Once installed, the trojan may connect to one of a number of remote web servers from which it may download and execute other files. In the wild, we have observed servers at the following locations being contacted in this manner by TrojanDownloader:Win32/Renos.NL:
 
  • image-big-library.com
  • 22.250.166.222
  • 167.156.220.15
  • erabl-pict.com
  • imagerepository.com
  • images-base.com
  • the-exefiles.com
  • freeexefiles.com
  • exefileformat.com
  • newexefile.com
 
Files downloaded may include Win32/Winwebsec and other TrojanDownloader:Win32/Renos components. TrojanDownloader:Win32/Renos.NL has also been observed downloading files and other content associated with advertising and browser redirection.
 
TrojanDownloader:Win32/Renos may post system information to the remote server before downloading files. The downloaded malware is generally saved to the %temp% directory, using filenames such as "~tmpa.exe".
 
Analysis by Hamish O'Dea

Symptoms

System Changes
The following system changes may indicate the presence of this malware:
  • The presence of the following registry modifications (or similar):
  • In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "MSFox" (or "Cognac")
    With data: "<full pathname of Win32/Renos.KNL>"
     
    In subkey: HKLM\Software\Mozilla\MSFox
    Sets value: Str<digit>
    With data: <base64 encoded string> (for example, "x6tveq8ngbtmpknqirnnqauudxwx")

Prevention


Alert level: Severe
First detected by definition: 1.91.179.0
Latest detected by definition: 1.189.1719.0 and higher
First detected on: Sep 20, 2010
This entry was first published on: Sep 28, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Trojan.Win32.Agent2.cvlb (Kaspersky)
  • W32/Suspicious_Gen2.CANOR (Norman)
  • Trojan horse Agent2.BHVF (AVG)
  • TR/Agent2.cvjb (Avira)
  • Trojan.Generic.4692005 (BitDefender)
  • Trojan.DownLoader1.19079 (Dr.Web)
  • Trojan.Win32.Agent2 (Ikarus)
  • Generic.dx!tqb (McAfee)
  • Trj/Zlob.KH (Panda)
  • Trojan.Win32.Generic!SB.0 (Sunbelt Software)