Trojan-Downloader:W32/Renos.Gen

Summary

---

This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.

Removal

---

Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.

Technical Details

---

Trojan-Downloader:W32/Renos.GEN is a Generic Detection for variants in the Trojan-Downloader:W32/Renos family. Renos variants are trojan-downloaders that download rogueware onto the system. The trojan may arrive on the system as part of another malware's payload, from a user-initiated download, or through other means. The downloaded programs attempt to persuade the user to buy a particular rogue antispyware application by pretending that the system is infected with spyware.

Installation

On installation, the trojan drops the file

• %WINDOWS%/system32/brastk.exe

and then creates a launchpoint for it. The brastk.exe file then attempts to download another file from a remote server.

Execution

On execution, this trojan will modify registry keys in order to bypass the Windows firewall, then download a rogue antispyware application from a remote server and save it onto the system, most commonly at:

• %windir%\system32\winil104552502.exe

The actual save location may vary depending on the variant.

The malware subsequently creates a system tray icon that periodically displays the following message:

"Your computer is infected!    Windows has detected spyware infection!   It is recommended to use special antispyware tools to prevent data loss.    Windows will now download and install the most up-to-date antispyware for you.   Click here to protect your computer from spyware!"    

Clicking on the message will launch the downloaded rogue antispyware application.

About Generic Detections

Unlike more traditional detections (also known as signatures or single-file detections) a Generic Detection does not identify a unique or individual malicious program. Instead, a Generic Detection looks for broadly applicable code or behavior characteristics that indicate a file as potentially malicious, so that a single Generic Detection can efficiently identify dozens, or even hundreds of malware.

For more information about Generic Detections, see the Generic Detection description.