Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Renos.DD

Overview

Threat Risk NONE NONE
Destructivity NONE NONE
Payload Diplays pop-up with a fake warning, attempts to download additional malicious files.
Detection files published
Description created 15 Feb 2006 03:05:00
Description updated 15 Feb 2006 03:05:00
Malware type TROJAN
Alias FakeAlert.AA(AntiVir - HB+EDV) Spywarestrike.dldr(ScanPM - NAI)
Troj/FakeVir-D(Sweep - Sophos)
Spreading mechanism OTHER
Summary None

W32/Renos.DD

Spreading

When the file is run it copies itself to  
%Windir%\%System% \dxmpp.dll
It attempts to download the SpyFalcon- installer alias SpyAxe, SpywareStrike, PSGuard, which is a rogue anti- spyware product from the SpyFalcon-site.
This is usually accompanied by Zlob.gen (trojan downloader), Nsag.B (fileinfector virus).

Payload Details

Filesize 102400 bytes
The file dxmpp.dll displays a pop-up saying:
Your computer is infected!
Possible harmful infection was detected on your pc.The system will now download and install the most efficient spyware removal program to prevent private data loss and your identity theft.
Click here to protect your PC from the biggest spyware threats.
The icon-section in the down-right corner of your screen displays a shifting icon which resembles the Windows- update icon. When right- or left-clicked it will open a Internet Explorer browser window and attempt to download SpyFalcon. SpyFalcon is a rogue-antispyware product which displays a fake scanner on your screen and shows a mpeg-movie of a scan - it does not perform a real scan of the files on your computer. After the fake scan you will be asked to pay for the product in order for it to clean your computer.  

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:10