Threat behavior
TrojanDownloader:Win32/Renos.HB is a trojan that creates desktop shortcuts to adult content sites and downloads rogue security software from predefined websites.
Installation
TrojanDownloader:Win32/Renos.HB may be installed by other malware. When run, it drops a copy of itself as the following:
<system folder>\msiconf.exe
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
The registry is modified to run the dropped trojan at each Windows start.
Adds value: "msiexec.exe"
With data: "msiconf.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Payload
Creates desktop shortcuts to adult content sites
TrojanDownloader:Win32/Renos.HB creates shortcuts to adult content Web sites on the desktop for all user profiles by creating shortcut files as the following:
c:\documents and settings\all users\desktop\best bdsm p0rn.url
c:\documents and settings\all users\desktop\gay fetish sex.url
Contacts remote website
In the wild, TrojanDownloader:Win32/Renos.HB has been observed connecting with the following remote websites to download additional programs:
advancedvirusremover.com
rapidantivirus2009.com
The above mentioned sites are associated with the distribution of rogue security software.
Analysis by Patrick Nolan
Prevention
