Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:ADSPY/Hoax.Renos.AG
Date discovered:17/02/2006
Type:Trojan
Subtype:Adware
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:29.696 Bytes
MD5 checksum:a5a84ed083f9cb0A46369c044eecab73
VDF version:6.33.01.03

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: Downloader-AFH
   •  Kaspersky: not-virus:Hoax.Win32.Renos.bm
   •  Sophos: Troj/Spywad-AE
   •  Bitdefender: Trojan.FakeAlert.SpySheriff.A


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a file
   • Drops files
   • Registry modification


Right after execution the following information is displayed:


 Files It copies itself to the following location:
   • C:\winstall.exe



The following files are created:

– Non malicious files:
   • C:\Program Files\SpySheriff\base.avd; C:\Program
      Files\SpySheriff\base001.avd; C:\Program Files\SpySheriff\base002.avd;
      C:\Program Files\SpySheriff\found.wav; C:\Program
      Files\SpySheriff\heur000.dll; C:\Program Files\SpySheriff\heur001.dll;
      C:\Program Files\SpySheriff\heur002.dll; C:\Program
      Files\SpySheriff\heur003.dll; C:\Program Files\SpySheriff\notfound.wav;
      C:\Program Files\SpySheriff\removed.wav; C:\Program
      Files\SpySheriff\SpySheriff.dvm; C:\Program
      Files\SpySheriff\SpySheriff.exe; C:\Program Files\SpySheriff\Uninstall.exe




It tries to download a file:

– The location is the following:
   • otherhost.com/**********
It is saved on the local hard drive under: %APPDATA%\Install.dat

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Windows installer"="C:\winstall.exe"
   • "pro" = "%malware execution directory%\%executed file%"



The value of the following registry key is removed:

–  [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • pro



The following registry key including all values and subkeys is removed:
   • [HKCU\SOFTWARE\Install]



The following registry key is added:

– [HKCU\SOFTWARE\Install]
   • "Version" = dword:00000000

 File details Programming language:
The malware program was written in MS Visual C++.

Description inserted by Daniel Constantin on Wednesday, March 1, 2006
Description updated by Daniel Constantin on Wednesday, March 1, 2006

Back . . . .