Win32/Renos.gen!AS is a family of Trojan downloaders that display fake warning messages indicating that spyware or malware has been detected on the machine, before downloading rogue security products, most notably Program:Win32/Antivirusxp. Win32/Renos.gen!AS has been distributed via spam messages.
Installation
Win32/Renos.gen!AS copies itself to the system folder with a variable name, usually starting with 'l' followed by several generated characters, e.g. “lphc1hfj0ea77.exe”. The file names used by Renos are mostly generated using the serial number of the machine’s C drive, meaning that the names will be consistent for a given machine, but vary from one system to the next.
It adds a value to the registry to launch this copy at system start (for example):
Adds value: "lphc1hfj0ea77"
With data: "C:\WINDOWS\system32\lphc1hfj0ea77.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Payload
Downloads Rogue Security Software
Win32/Renos.gen!AS first tries to retrieve the URL http://windowsupdate.microsoft.com/ to check for an active Internet connection. It does this continually, with pauses of up to 90 minutes between attempts, until it is able to retrieve something successfully.
The trojan then attempts to download and execute rogue security software, generally
Program:Win32/Antivirusxp. It downloads from domains such as antivirusxp-2008.net, antivirusxp08.net, avxp08.net and avxp-2008.net. For example:
http://antivirusxp-2008.net/*/*/047ec50c-d8cb-4049-8813-d8d27517979f.gif
Note: This URL has been modified.
The file it downloads is a valid GIF image file; a small picture like this:
However, appended to the end of the GIF is an encrypted executable copy of the Win32/Antivirusxp installer. Renos.gen!AS decrypts this executable, saves it to the temp folder with a name such as “.tt2.tmp” and executes it.
Finally, Renos.gen!AS performs an HTTP POST request to a domain in which it sends details about the processor type, operating system version and installed software, which it reads from the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall.
Displays Misleading Alerts and Errors
The trojan changes the Windows background to an image displaying a phony warning that Spyware was detected on the computer. This background image is saved to a file name such as phcndvj0e163.bmp and looks like this:
Older variants used an image like this:
The background is changed via registry settings such as:
Adds value: "Background"
With data: "0 0 255"
To subkey: HKCU\Control Panel\Colors
Adds value: "WallpaperStyle"
With data: "0"
To subkey: HKCU\Control Panel\Desktop
Adds value: "Wallpaper"
With data: "C:\WINDOWS\system32\phcndvj0e163.bmp"
To subkey: HKCU\Control Panel\Desktop
Most variants also drop a copy of Sysinternals’ “Blue Screen” screensaver to the system directory with a file name such as “blphcndvj0e163.scr”. It registers this as the active screen saver and sets the screen saver timeout to 10 minutes by setting registry values such as:
Adds value: "SCRNSAVE.EXE"
With data: "C:\WINDOWS\system32\ blphcndvj0e163.scr"
To subkey: HKCU\Control Panel\Desktop
Adds value: "ScreenSaveActive"
With data: "1"
To subkey: HKCU\Control Panel\Desktop
Adds value: "ScreenSaveTimeOut"
With data: "600"
To subkey: HKCU\Control Panel\Desktop
This screen saver shows fake blue screen “crash” images, followed by a fake animation of the system rebooting. The purpose of installing this is to add to the impression that the system is broken in some way.
To stop the screen saver from displaying its EULA when launched, the trojan sets the following:
Adds value: "EulaAccepted"
With data: 1
To subkey: HKCU\Software\Sysinternals\Bluescreen Screen Saver
Modifies System Settings
Win32/Renos disables both the desktop and screen saver pages on the system’s display properties dialog to prevent the user from resetting the background or the screen saver. It does this via the following registry changes:
Adds value: "NoDispScrSavPage"
With data: 1
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Adds value: "NoDispBackgroundPage"
With data: 1
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Analysis by Hamish O'Dea