[Malware Review] Trojan.Renos.PGZ, the all in-one-wonder

Trojan.Renos.PGZ is a Trojan, a downloader and, at times, a rogue AV. This multi-tasking strategy seems to be a common approach for cyber-criminals today, since it brings in much more revenue than a targeted piece of malware The Trojan – a member of the Renos family – connects to certain websites in order to download and execute malicious files onto the compromised computer. And by malicious code I mean Trojans, adware, spyware, fake AVs, worms – you name any payload known to man – and it is already on the infected system.

But first thing’s first: Trojan.Renos.PGZ spreads its roots into the victim’s computer by creating “unusual” processes such as kgl.exe, kgj.exe, kgk.exe that might appear in the Task Manager. Plus, further file and registry modifications occur, as detailed below.

• three files randomly created in %TEMP% and named as[3-random-letters].exe;
• two job files in C:WindowsTasks folder ({8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job and {35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job) which will execute downloaded Trojans after each Windows start-up;
• The addition of the following files to the Windows Registry that will make sure that the malware will start “working” along with every system start up: c:Windowssystem32sshnas21.dll, HKLMSYSTEMControlSet001ServicesSSHNASParametersServiceDll-> C:WINDOWSsystem32sshnas21.dll, HKCUSoftwareMicrosoftWindowsCurrentVersionRun[10-random-letters-and-digits] -> %TEMP%[3-random-letters].exe.

The Internet Explorer® security settings are also tampered with, therefore simplifying the access of malicious code onto the compromised computer. So, the following registry values are modified in order to bypass the firewall:

• – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapUNCAsIntranet -> 0x00000001
• – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapAutoDetect -> 0x00000001
• –HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapProxyBypass -> 0x00000001
• – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapIntranetName -> 0x00000001

The domains this Trojan connects to in order to retrieve malicious code capitalize on keywords such as movies, arts, shopping and sports, so pay extra attention when pointing your browser to such destinations, and, most of all, make sure that you’re running an updated security suite.

This article is based on the findings of BitDefender virus researcher Andrea Takacs.