Installation
TrojanDownloader:Win32/Renos.LL may drop copies of itself on the system, for example:
It creates a scheduled task to run its copy at a certain time. It also creates a batch file in the Temporary Files directory to delete the executed malware after its routine.
When executed, TrojanDownloader:Win32/Renos.LL runs from its original location and modifies the registry to run its copy at each Windows start (for example):
Adds value: "M5T8QL3YW3"
With data: "<full path and file name of Win32/Renos.LL>" (for example, "
%windir%\zgopia.exe")
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Additional registry modifications are made similar to the following example:
Adds value: "ZbyP"
With data: "<base64 encoded string>" (for example, "c7akz+o6wyplq1krrm4sg7m2lfgsythjho")
To subkey: HKCU\Software\M5T8QL3YW3
Note: The dropped files and registry modifications may vary from sample to sample, and the values listed may be different from those given in this example.
Payload
Downloads and executes arbitrary files
Once installed, the trojan may connect to one of a number of remote Web servers from which it may download and execute other files. In the wild, we have observed servers at the following locations being contacted in this manner by TrojanDownloader:Win32/Renos.LL:
-
nextartsfestival.com
-
pinehousearts.com
Analysis by Elda Dimakiling