Threat behavior
TrojanDownloader:Win32/Renos.gen!A simulates a computer spyware scan, generating erroneous alerts and prompting the user to purchase the product in order to remove the alleged detections.
When TrojanDownloader:Win32/Renos.gen!A is first run, it will perform the following actions:
- Creates copies of itself
C:\%windir%\xpupdate.exe
C:\winstall.exe
- Modifies the registry to load the copied files when Windows is started
Adds value: Windows update loader
With data: "C:\%windir%\xpupdate.exe"
-or-
Adds value: Windows installer
With data: "C:\winstall.exe"
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- Attempts to download an application named MalwareAlarm from a remote IP address
- Creates the directory %Program_Files%\MalwareAlarm and installs the following files in it:
MalwareAlarm.exe
MalwareAlarm.lic
MalwareAlarm0.dll
MalwareAlarm0.ma
MalwareAlarm1.dll
MalwareAlarm1.ma
MalwareAlarm3.dll
Uninstall.exe
TrojanDownloader:Win32/Renos.gen!A then executes the MalwareAlarm application which simulates a computer spyware scan. The scanner displays erroneous warnings stating the computer is infected and directing the user to a site to purchase a removal tool. In addition, TrojanDownloader:Win32/Renos.gen!A modifies the registry to change the Windows wallpaper settings and prevent access to those settings:
HKEY_CURRENT_USER\SoftwareMicrosoft\Windows\CurrentVersion\ADP
HKEY_CURRENT_USER\SoftwareMicrosoft\Windows\CurrentVersion\Run\con
HKEY_CURRENT_USER\SoftwareMicrosoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper
HKEY_CURRENT_USER\SoftwareMicrosoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoComponents
HKEY_CURRENT_USER\SoftwareMicrosoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoAddingComponents
HKEY_CURRENT_USER\SoftwareMicrosoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoDeletingComponents
HKEY_CURRENT_USER\SoftwareMicrosoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoEditingComponents
HKEY_CURRENT_USER\SoftwareMicrosoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoComponents
HKEY_CURRENT_USER\SoftwareMicrosoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoHTMLWallPaper
HKEY_CURRENT_USER\SoftwareMicrosoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop
HKEY_CURRENT_USER\SoftwareMicrosoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop
HKEY_CURRENT_USER\SoftwareMicrosoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_CURRENT_USER\SoftwareMicrosoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn
HKEY_CURRENT_USER\SoftwareMicrosoft\Internet Explorer\Desktop\General\TileWallpaper
HKEY_CURRENT_USER\SoftwareMicrosoft\Internet Explorer\Desktop\General\ComponentsPositioned
HKLM\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\WallpaperFileTime
HKLM\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\WallpaperLocalFileTime
HKEY_CURRENT_USER\SoftwareMicrosoft\Internet Explorer\Desktop\General\WallpaperFileTime
HKEY_CURRENT_USER\SoftwareMicrosoft\Internet Explorer\Desktop\General\WallpaperLocalFileTime
Prevention
