Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Dldr.Renos.PG.91
Date discovered:02/05/2011
Type:Trojan
Subtype:Downloader
In the wild:No
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:170.496 Bytes
MD5 checksum:019d0480f15b53565559ae265642fc13
VDF version:7.11.07.107 - Monday, May 2, 2011
IVDF version:7.11.07.107 - Monday, May 2, 2011

 General Aliases:
   •  Kaspersky: Trojan-Downloader.Win32.CodecPack.asrt
   •  F-Secure: Trojan-Downloader.Win32.CodecPack.asrt
   •  Bitdefender: Trojan.Generic.5882326
   •  Eset: Win32/Kryptik.NKT
   •  GData: Trojan.Generic.5882326
   •  DrWeb: Trojan.DownLoader2.51506


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a malicious file
   • Registry modification

 Files The following file is created:

%WINDIR%\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job



It tries to execute the following file:

– Filename:
   • ctfmon.exe

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "R8388QA8U8"="%executed file%"



The value of the following registry key is removed:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • internat.exe



The following registry key is added:

– [HKCU\Software\R8388QA8U8]
   • "Vqo0"=dword:0x00000001
   • "VqoB"=dword:0x0a7404e0
   • "VqoH"=dword:0x01cc113b
   • "VtaH"="%character string%"
   • "VtaS"="%character string%"



The following registry keys are changed:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   New value:
   • "ctfmon.exe"="%SYSDIR%\ctfmon.exe"

– [HKCU\Software\Microsoft\Internet Explorer\Main]
   New value:
   • "Disable Script Debugger"="yes"

 Injection – It injects a backdoor routine into a process.

    Process name:
   • ctfmon.exe


 Miscellaneous Accesses internet resources:
   • http://spanishser.com/**********
   • http://francisawe.com/**********
   • http://74.63.249.180/**********
   • http://184.82.169.252/**********

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Thursday, May 12, 2011
Description updated by Petre Galan on Thursday, May 12, 2011

Back . . . .