Trojan:Win32/Renos.I is a rogue security program that displays misleading alerts attempting to lure users into purchasing rogue security software.
Installation
Upon execution, Win32/Renos.I drops a copy of itself as one of the following
%windir%\<random 3 character string>.exe
<system folder>\<random 3 character string>.exe
Win32/Renos.I drops other files as the following:
%TEMP%\tdssc<random 3 character string>.tmp
%TEMP%\tdssc<random 3 character string>.tmp
<system folder>\drivers\tdssserv.sys
<system folder>\dllcache\beep.sys
<system folder>\drivers\beep.sys
It then modifies the system registry to run Win32/Renos.I at each Windows start.
Adds value: "netw"
With value: "%windir%\<random 3 character string>.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: "UpdateWin"
With data: = "%windir%\<random 3 character string>.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "UpdateWin"
With data: = "%windir%\<random 3 character string>.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
The trojan creates other registry entries related to the trojan.
Adds value: "affid"
With data: "79"
To subkey: HKLM\Software\Microsoft\Windows Nt\CurrentVersion\tdssdata
Adds value: "type"
With data: "clicker"
To subkey: HKLM\Software\TDSS
Adds value: "start"
With data: "1"
To subkey: HKLM\System\CurrentControlSet\Services\TDSSserv
Payload
Displays Fake Security Messages
Win32/Renos.I displays misleading and fake messages about the security status of an infected system. These messages may have the text "Your computer is at risk! Click here to preotect your computer from spyware!" as in the following example screen shot:
If the message is clicked by the user, this trojan then attempts to connect to a certain domain, possibly to download and install a rogue security program.
Analysis by Huzefa Mogri
