Symptoms

Removal instructions:

Analyzed By

Technical Description:

Trojan.Renos.PGZ is a trojan downloader which connects to certain websites in order to download and execute malicious files.

Modifies Internet Explorer settings (to lower security settings) by modifying the following registry entries:

• - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet -> 0x00000001
• - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect -> 0x00000001
• - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass -> 0x00000001
• - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName -> 0x00000001

It creates and executes the file: %TEMP%\[3-random-letters]..bat, which tries to delete the downloader until succeeds, after which deletes itself.
    
Downloads from:

•     http://moviearts[removed].com
•     http://first[removed]arts.com
•     http://sportfi[removed]arts.com

three files to %TEMP%\[3-random-letters].exe (ex. kgl.exe, kgj.exe, kgk.exe) and executes them.

The downloaded files are detected by BitDefender as Trojan.Renos.PHH.
Some of them will download additional files from sites such as:

•     http://straightdi[removed].com
•     http://allsh[removed].com
•     http://reseller[removed].com

One of the downloaded files is a keylogger which sends the list of keystrokes to http://cyber[removed].com

A symptom of infection is the presence of new scheduled tasks in C:\Windows\Tasks directory and
of a random key under the HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ registry key. These are added to ensure that the malware will run at system startup.