Threat behavior
Win32/Renos.gen!BA is a generic detection for a family of trojan downloaders that display fake warning messages indicating that spyware or malware has been detected on the machine, before downloading rogue security products, most notably Program:Win32/Antivirusxp or Trojan:Win32/FakeXPA.
Installation
In the wild, Win32/Renos.gen!BA has been distributed via spam e-mail messages or may be present as the file A9installer_880775.exe or similar. This trojan does not modify the registry to load itself and activates its file download payload when executed.
Payload
Downloads Malware
When run, this trojan downloader attempts to download from two URLs embedded within the executable that look like the following when unencrypted:
<domain>/script512.php?id=565858681&adv=0&uid=cf9311664c3d40cfaaf75beae38a5490cc5ee4d
<domain>/file512.php?id=565858681&adv=0&uid=cf9311664c3d40cfaaf75beae38a5490cc5ee4d
The domain names used change depending on the trojan variant and can include the following examples:
domain5121.net
justdomain08.net
karachun.net
If the file is downloaded successfully, it is then executed, and Win32/Renos.gen!BA attempts to delete itself using a batch script.
Analysis by Josh Phillips
Prevention
