Worm:Win32/Renocide.gen!B is the detection for a worm that attempts to download files from a remote server. It spreads via removable drives and network shares. It may also attempt to terminate certain security processes.
Installation
If run from the root of a drive, Worm:Win32/Renocide.gen!B may drop the following files:
-
<system folder>\csrcs.exe - copy of itself
-
<system folder>\autorun.in - initialization file used in its propagation routine (see below)
-
<system folder>\autorun.i - another initialization file
-
%TEMP%\s.cmd - batch file designed to delete this worm's currently-running copy
-
%SystemDrive%\khs
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It may modify the system registry so that it automatically runs every time Windows starts:
Adds value: "csrcs"
With data: "<system folder>\csrcs.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Adds value: "csrcs"
With data: "<system folder>\csrcs.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\policies\Explorer\Run
It stores malware-specific settings under the following registry key:
HKLM\Software\Microsoft\DRM\amty
Spreads Via...
Removable Drives
Worm:Win32/Renocide.gen!B spreads by dropping copies of itself in all removable drives, possibly using a random file name. Its dropped file autorun.inf is copied to all removable drives to enable its copy to automatically run when the removable drive is accessed and if Autoplay is enabled.
Network Shares
Win32/Renocide.gen!B also spreads by scanning IP addresses based on the infected machine's IP address and looking for writeable shares. It then drops a copy of itself as well as a copy of the autorun.inf file.
Payload
Modifies System Settings
Worm:AutoIT/Renocide.F modifies how the system handles files with the Hidden attribute via the system registry:
Adds value: "Hidden"
With data: "2"
Adds value: "SuperHidden"
With data: "2"
Adds value: "ShowSuperHidden"
With data: "0"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Adds value: "CheckedValue"
With data: "1"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
Adds value: "Shell"
With data: "Explorer.exe csrcs.exe"
To Subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Terminates Security Process
Worm:Win32/Renocide.gen!B attempts to terminate the process TeaTime.exe, which belongs to the "Spybot - Search & Destroy" security application.
Downloads Arbitrary Files and Sends System Information
Worm:Win32/Renocide.gen!B may download files from the following domains:
-
suse.extasix.com
-
kisa.9dk2.com
It may also send computer information to a remote server.
Attempts to Resolve External IP Address
Win32/Renocide.gen!B also attempts to get the external IP address of the infected machine by issuing requests to whatismyip.com and/or checkip.dyndns.org.
Analysis by Marian Radu
