My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus


(Trojan-Downloader.Win32.FraudLoad.xdjj, Win32/TrojanDownloader.FakeAlert.AYY, Trojan.FakeAV!gen24)


Unusual processes might appear such as: kgl.exe, kgj.exe, kgk.exe
Presence of the following files and registry entry modifications:

  • - three files with random name: %TEMP%\[3-random-letters].exe
  • - two job files in C:\Windows\Tasks folder ({8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job and {35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job)  which will execute downloaded trojans each time Windows is started
  • - c:\Windows\system32\sshnas21.dll
  • - HKLM\SYSTEM\ControlSet001\Services\SSHNAS\Parameters\ServiceDll -> C:\WINDOWS\system32\sshnas21.dll
  • - HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[10-random-letters-and-digits] -> %TEMP%\[3-random-letters].exe

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Andrea Takacs, virus researcher

Technical Description:

Trojan.Renos.PGZ is a trojan downloader which connects to certain websites in order to download and execute malicious files.

Modifies Internet Explorer settings (to lower security settings) by modifying the following registry entries:

  • - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet -> 0x00000001
  • - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect -> 0x00000001
  • - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass -> 0x00000001
  • - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName -> 0x00000001

It creates and executes the file: %TEMP%\[3-random-letters]..bat, which tries to delete the downloader until succeeds, after which deletes itself.
Downloads from:

  •     http://moviearts[removed].com
  •     http://first[removed]
  •     http://sportfi[removed]

three files to %TEMP%\[3-random-letters].exe (ex. kgl.exe, kgj.exe, kgk.exe) and executes them.

The downloaded files are detected by BitDefender as Trojan.Renos.PHH.
Some of them will download additional files from sites such as:

  •     http://straightdi[removed].com
  •     http://allsh[removed].com
  •     http://reseller[removed].com

One of the downloaded files is a keylogger which sends the list of keystrokes to http://cyber[removed].com

A symptom of infection is the presence of new scheduled tasks in C:\Windows\Tasks directory and
of a random key under the HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ registry key. These are added to ensure that the malware will run at system startup.