TrojanDownloader:Win32/Renos usually copies itself to C:\winstall.exe and runs that file, which in turn may create the following additional files:
To load when Windows is started, TrojanDownloader:Win32/Renos may modify the registry as follows:
Adds value: Windows installer
or value: Windows update loader
With data: <path to dropped executable>
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Some variants install a Browser Helper Object that loads when Microsoft Internet Explorer is opened.
Some variants also drop a DLL in the %system% folder.
Symptoms of a Win32/Renos infection may differ according to the particular variant. The trojan may display a red (possibly blinking) icon in the system tray, such as the one in the following image:
Win32/Renos may also display a deceptive message which warns that the computer is infected; the warning encourages the user to download certain software that allegedly provides malware or spyware protection. Following are two variations of a warning message that may appear: