My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.Renos.PHM

VERY LOW
MEDIUM
60 KB
(Backdoor.Win32.Agent.avqz, Downloader-CEW.e, TrojanDownloader:Win32/Renos.KX)

Symptoms

- Presence of the registry key: HKLM\SYSTEM\ControlSet001\Services\SSHNAS\Parameters:                        ServiceDll -> C:\Windows\system32\sshnas21.dll

- Presence of infected files with random names under C:\Windows folder

- Presence of job files under C:\Windows\tasks folder, registering malware execution as scheduled tasks on the infected computer

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Roxana Gherle, virus researcher

Technical Description:

Trojan.Renos.PHM is a trojan downloader belonging to the Renos family. It attempts to download other trojans.

Upon execution it will try to connect to various remote addresses for downloading and executing other malware components.

It attempts to post data to addresses belonging to the following domains:

       blueriverarts.com, redskeltonarts.com, greenbeearts.com

From the afore mentioned URLs, the trojan obtains links to other three malware components, which it then downloads and executes. The downloaded malware are detected by BitDefender under the name Trojan.Renos.PHH and are dangerous trojans which download and install additional malware, spyware and badware, for various reasons.   

Other dangerous sites to which the malware components try to connect:

       cuert.com, msdip.com, resellerrati.com, allshome.com, thedupage.com

The Trojan removes his traces by creating a batch file jtp..bat under %TEMPDIRECTORY% which deletes the trojan and the batch file, too.