TrojanDownloader:Win32/Renos.LX is a generic detection for a family of trojans that connect to certain websites in order to download arbitrary files. This may include other TrojanDownloader:Win32/Renos components, and rogue antivirus software such as Trojan:Win32/FakeSecSen
TrojanDownloader:Win32/Renos.LX may be distributed in the wild masquerading as a video codec. For an example, please see the image below:
It has also been observed being downloaded to affected machines after users are prompted by fake online security scanners. See below for examples of this method of distribution being utilized in the wild:
When executed, TrojanDownloader:Win32/Renos.LX runs from its original location and modifies the registry to run the trojan downloader at each Windows start (for example):
Adds value: "MSFox" (or "Cognac")
With data: "<full pathname of Win32/Renos.LX>"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Additional registry modifications are made similar to the following example:
Adds value: Str<digit>
With data: <base64 encoded string> (for example, "x6tveq8ngbtmpknqirnnqauudxwx")
To subkey: HKLM\Software\Mozilla\MSFox
Note: These registry modifications may vary according to minor variant and the values listed may be different from those given in these examples.
Downloads and executes arbitrary files
Once installed, the trojan may connect to one of a number of remote Web servers from which it may download and execute other files. In the wild, we have observed servers at the following locations being contacted in this manner by TrojanDownloader:Win32/Renos.LX:
Files downloaded may include other TrojanDownloader:Win32/Renos components, and rogue antivirus software such as Trojan:Win32/FakeSecSen
. TrojanDownloader:Win32/Renos.LX has also been observed downloading files and other content associated with advertising and browser redirection.
TrojanDownloader:Win32/Renos may post system information to the remote server before downloading files. The downloaded malware is generally saved to the %temp% directory, using filenames such as "~tmpa.exe".
Analysis by Hamish O'Dea