This month we are releasing another instalment of our Malicious Software Removal Tool (MSRT), which now includes Win32/Renocide detection and cleaning capabilities.

Win32/Renocide is a family of worms that spread via local, removable, and network drives and also by means of file sharing applications.

It infects the network by scanning the local network using the subnet mask 255.255.0.0 and looking for writeable shares where it can copy itself and an autorun.inf file. It also uses the NETBIOS protocol to look for machines in the local network where it can plant copies of itself.

To infect computers beyond the local network, it plants copies of itself in the shared folders of popular file sharing applications. This step also involves social engineering techniques to maximize infection success. This is done by using enticing names for its copies in the shared folders, and to make sure this is always the case, it uses the following process:

  1. Access some popular torrent sites and download the top 100 titles of popular games and/or applications.
  2. Randomly pick 50 titles.
  3. Append to the titles one of the following suffixes:
    • .Crack
    • .Activator
    • .Keygen
    • .Validator
    • -Razor1911
    • -RELOADED
    • –KeyMaker
  4. Create a Readme.txt file that contains this generated name.
  5. Use WinRAR or 7zip to create an archive of itself copied with the same generated name and the above Readme.txt file.
  6. Place the archive in the shared folder of the file sharing application, again using the generated name.

It is worth mentioning that if the host does not have WinRAR archiver installed, it tries to download a copy of the 7zip archiver from its own servers.

This is an example of how an infected shared folder would look like after this process:

Win32/Renocide has IRC-based backdoor functionality, which may allow a remote attacker to execute commands on the affected computers. It has an over 50 commands recognized by the bot. The complete list of commands is available in the Win32/Renocide family description. The commands give the attacker a high level of granularity over the botnet. It can even erase its traces by deleting all evidence, using the "cometerharakiri" command, or alternatively, add new features by uploading encrypted AutoIt scripts which get compiled and run on the host machine (using the "plugin" command). It also appears that the writer of this bot is a Spanish speaker!

Besides the IRC module described above, Win32/Renocide can execute commands stored in text files downloaded from the internet. The URLs of these files are hardcoded into every variant of the worm. These files look like batches of commands to be executed by the bot, as a failsafe, in case the IRC connection fails. These are the same commands that it can receive through IRC, but rebranded (they use different keywords)! Once the file is downloaded, the actions are executed without the intervention of the attacker.

The command keywords are not meaningful words, as opposed to the IRC commands, but instead it is using garbage-like keywords, for example, "M8Y77V69S8488S689O99Q" for downloading a file from a given URL. The arguments to the commands are also encrypted. Such a command file looks like this:

You can find out more about Win32/Renocide from our malware encyclopedia.

We have monitored the files that Win32/Renocide worm downloads and found that, in the wild, variants of TrojanDownloader:Win32/Renos are being downloaded and installed on the infected computers.

We urge you to give MSRT a try if you suspect that you are infected by this worm.

Marian Radu
MMPC Dublin