[Malware Review] Trojan.Renos.PGZ, the all in-one-wonder

The piece of malware that brings all its friends to the party

Trojan.Renos.PGZ is a Trojan, a downloader and, at times, a rogue AV. This multi-tasking strategy seems to be a common approach for cyber-criminals today, since it brings in much more revenue than a targeted piece of malware The Trojan – a member of the Renos family – connects to certain websites in order to download and execute malicious files onto the compromised computer. And by malicious code I mean Trojans, adware, spyware, fake AVs, worms – you name any payload known to man – and it is already on the infected system.

But first thing’s first: Trojan.Renos.PGZ spreads its roots into the victim’s computer by creating “unusual” processes such as kgl.exe, kgj.exe, kgk.exe that might appear in the Task Manager. Plus, further file and registry modifications occur, as detailed below.

  • three files randomly created in %TEMP% and named as[3-random-letters].exe;
  • two job files in C:WindowsTasks folder ({8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job and {35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job) which will execute downloaded Trojans after each Windows start-up;
  • The addition of the following files to the Windows Registry that will make sure that the malware will start “working” along with every system start up: c:Windowssystem32sshnas21.dll, HKLMSYSTEMControlSet001ServicesSSHNASParametersServiceDll-> C:WINDOWSsystem32sshnas21.dll, HKCUSoftwareMicrosoftWindowsCurrentVersionRun[10-random-letters-and-digits] -> %TEMP%[3-random-letters].exe.

The Internet Explorer® security settings are also tampered with, therefore simplifying the access of malicious code onto the compromised computer. So, the following registry values are modified in order to bypass the firewall:

  • HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapUNCAsIntranet -> 0x00000001
  • – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapAutoDetect -> 0x00000001
  • HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapProxyBypass -> 0x00000001
  • HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapIntranetName -> 0x00000001

The domains this Trojan connects to in order to retrieve malicious code capitalize on keywords such as movies, arts, shopping and sports, so pay extra attention when pointing your browser to such destinations, and, most of all, make sure that you’re running an updated security suite.

This article is based on the findings of BitDefender virus researcher Andrea Takacs.

About the author


A blend of teacher and technical journalist with a pinch of e-threat analysis, Loredana Botezatu writes mostly about malware and spam. She believes that most errors happen between the keyboard and the chair. Loredana has been writing about the IT world and e-security for well over five years and has made a personal goal out of educating computer users about the ins and outs of the cybercrime ecosystem.