Malware City/Blog/

Jun
18
Filed Under:
WEEKLY REVIEW

Malware Review: Trojan.Renos.PGZ, the all in-one-wonder

18 June 2010
The piece of malware that brings all its friends to the party

Trojan.Renos.PGZ is a Trojan, a downloader and, at times, a rogue AV. This multi-tasking strategy seems to be a common approach for cyber-criminals today, since it brings in much more revenue than a targeted piece of malware The Trojan – a member of the Renos family - connects to certain websites in order to download and execute malicious files onto the compromised computer. And by malicious code I mean Trojans, adware, spyware, fake AVs, worms - you name any payload known to man – and it is already on the infected system.  

But first thing’s first: Trojan.Renos.PGZ spreads its roots into the victim’s computer by creating “unusual” processes such as kgl.exe, kgj.exe, kgk.exe that might appear in the Task Manager. Plus, further file and registry modifications occur, as detailed below.

  • three files randomly created in %TEMP% and named as[3-random-letters].exe;
  • two job files in C:\Windows\Tasks folder ({8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job and {35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job) which will execute downloaded Trojans after each Windows start-up;
  • The addition of the following files to the Windows Registry that will make sure that the malware will start “working” along with every system start up: c:\Windows\system32\sshnas21.dll, HKLM\SYSTEM\ControlSet001\Services\SSHNAS\Parameters\ServiceDll-> C:\WINDOWS\system32\sshnas21.dll, HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[10-random-letters-and-digits] -> %TEMP%\[3-random-letters].exe.

The Internet Explorer® security settings are also tampered with, therefore simplifying the access of malicious code onto the compromised computer. So, the following registry values are modified in order to bypass the firewall:

  • - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet -> 0x00000001
  • - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect -> 0x00000001
  • -HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass -> 0x00000001
  • - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName -> 0x00000001

The domains this Trojan connects to in order to retrieve malicious code capitalize on keywords such as movies, arts, shopping and sports, so pay extra attention when pointing your browser to such destinations, and, most of all, make sure that you’re running an updated security suite.

This article is based on the findings of BitDefender virus researcher Andrea Takacs.





By Loredana Botezatu
Loredana sees in BitDefender a new challenge and a fresh approach to her professional development. Her enthusiasm, curiosity and, of course, lots of research, are some of the features that make her a competitive player in the security industry.

Related

12-05-2010 | Weekly Malware Review: Backdoor.Hamweq.Z

08-04-2010 | Weekly Malware Review: Practice makes perfect

31-03-2010 | Weekly Malware Review: Pandora’s Removable Device

02-03-2010 | Win32.Xorer.EK – Discrete though Highly Intelligent

Comment on this

Name:

Email:

Website:

Your email adress will not be published.