virus logo Virus

Adware/Renos

description-logoAnalysis

[Adware/Renos]


The details for the Renos Installer is:

File Name: tool2.exe
File Size: 26624 bytes


The details for the Renos executables are:

File Name: winstall.exe
File Size: 26,624 bytes
Note: This file is a copy of the original installer.

File Name: SpySheriff.exe
File Size: 468,480 bytes


Description of Adware

The purpose of Renos appears to be the installation of the SpySheriff software, and the serving of pop-up ads during browsing. The SpySheriff software installs without any sort of EULA or user interaction. SpySheriff will continue to be installed by the Renos installer. The SpySheriff uninstall program is not functional, and only serves to ensure that the SpySheriff registry entries are current.


System alterations upon installation

  • Upon executing the installer, Renos will immediately notify a remote host of its installation. It is important to note that all activities after executing the installer are done silently.

  • The program will then retrieve an archive file containing the SpySheriff software.

  • The SpySheriff software is installed in to the "Program Files" directory.

  • The installer changes the desktop background to a large error message. (See "Visible Symptoms" above)

  • The installer copies itself to the file c:\winstall.exe. It also adds appropriate registry entries to ensure both the installer, as well as the SpySheriff program are executed automatically upon boot.

  • Several files are added to the system following the install of SpySheriff. These include:
    c:\winstall.exe
    [program files]SpySheriff
    [program files]SpySheriff\base.avd
    [program files]SpySheriff\base001.avd
    [program files]SpySheriff\found.wav
    [program files]SpySheriff\heur000.dll
    [program files]SpySheriff\heur001.dll
    [program files]SpySheriff\heur002.dll
    [program files]SpySheriff\heur003.dll
    [program files]SpySheriff\IESecurity.dll
    [program files]SpySheriff\notfound.wav
    [program files]SpySheriff\ProcMon.dll
    [program files]SpySheriff\removed.wav
    [program files]SpySheriff\SpySheriff.dvm
    [program files]SpySheriff\SpySheriff.exe
    [program files]SpySheriff\Uninstall.exe
    [windows directory]\desktop.html

  • Several registry keys are added, including:
    HKEY_CURRENT_USER\Software\Install
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Explorer
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\ShellNew
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\11
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Desktop
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Desktop\General

  • Several registry values are also added, including
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Windows installer" - c:\winstall.exe
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "ForceActiveDesktopOn" - 1
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoActiveDesktop" - 0
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "ClassicShell" - 0
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General "WallpaperLocalFileTime" - 86, 77, 14, F5, 86, B4, C5, 01
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "Wallpaper" - [windows directory]\desktop.html

  • It is important to note that the original installer will stay resident in memory as "tool2.exe"

  • Curiously SpySheriff does not create Start Menu entries. It does however have an executable named "uninstall.exe" in its own directory within "Program Files". Executing this uninstaller results in SpySheriff's registry entires being "refreshed", not removed. This is particularly troublesome, as there does not seem to be an easy way to remove SpySheriff.


Adware Behavior

  • Renos will waste memory, CPU cycles, and network bandwidth by its frequent downloading of the SpySheriff software.

  • Renos will produce unsolicited pop-up advertisements during browsing.

  • By analyzing the SpySheriff executable's code it also seems possible that SpySheriff may install a Browser Helper Object (BHO)

recommended-action-logoRecommended Action

Remove registry entries referenced, and remove both the Winstall.exe file, and SpySheriff directory.

Telemetry logoTelemetry

ID 72709
Released Sep 08, 2005
Description
Updated		 Sep 08, 2005
Aliases not-virus:Hoax.Win32.Renos.m [Kaspersky], Trojan.Desktophijack [Symantec], W32/FakeAlert.AM [F-Prot]
Platform Profile Adware typically display advertising content to the user. This advertising content may take many forms, but is typically in the form of web browser pop-up advertisements. In most circumstances, the user is not aware of the Adware component being installed on the local machine.