We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Win32/Renocide
Published Feb 28, 2011
|
Updated Aug 22, 2017
Win32/Renocide
Detected by Microsoft Defender Antivirus
Aliases: No associated aliases
Summary
Win32/Renocide is a family of worms that spread via local, removable, and network drives and also using file sharing applications. They have IRC-based backdoor functionality, which may allow a remote attacker to execute commands on the affected computer.
To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:
- Microsoft Security Essentials
- Microsoft Safety Scanner
- Microsoft Windows Malicious Software Removal Tool
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.
Recovering from recurring infections on a network
The following additional steps may need to be taken to completely remove this threat from an infected network, and to stop infections from recurring from this and other similar types of network-spreading malware:
- Ensure that an antivirus product is installed on ALL computers connected to the network that can access or host shares.
- Ensure that all available network shares are scanned with an up-to-date antivirus product.
- Restrict permissions as appropriate for network shares on your network. For more information on simple access control, please see: http://technet.microsoft.com/library/bb456977.aspx.
- Remove any unnecessary network shares or mapped drives.
Note: Additionally it may be necessary to temporarily change the permission on network shares to read-only until the disinfection process is complete.
Removing a program exception
This threat may add a malware program to the Windows Firewall exception list. To remove the program exception, follow these steps:
For Windows 7:
1) Click Start, select Control Panel, then System and Security.
2) Select Windows Firewall.
3) On the left-hand menu, select Allow a program through Windows Firewall. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
4) Click Change Settings. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
5) Select "ipsec" from the list of allowed programs and features. Click Remove.
6) Click OK.
2) Select Windows Firewall.
3) On the left-hand menu, select Allow a program through Windows Firewall. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
4) Click Change Settings. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
5) Select "ipsec" from the list of allowed programs and features. Click Remove.
6) Click OK.
For Windows Vista:
1) Click Start, select Control Panel, then Security Center.
2) On the left-hand menu, select Windows Firewall.
3) On the left-hand menu, select Allow a program through Windows Firewall. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
4) Select "ipsec" from the list of allowed programs and features. Click Delete.
5) Click OK.
2) On the left-hand menu, select Windows Firewall.
3) On the left-hand menu, select Allow a program through Windows Firewall. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
4) Select "ipsec" from the list of allowed programs and features. Click Delete.
5) Click OK.
For Windows XP:
1) Use an administrator account to log on.
2) Click Start, select Run, type wscui.cpl, and then click OK.
3) In Windows Security Center, click Windows Firewall.
4) On the Exceptions tab, click "ipsec" and then click Delete.
5) Click OK.
2) Click Start, select Run, type wscui.cpl, and then click OK.
3) In Windows Security Center, click Windows Firewall.
4) On the Exceptions tab, click "ipsec" and then click Delete.
5) Click OK.
Disable Autorun functionality
This threat attempts to spread via removable drives on computers that support Autorun functionality. This is a particularly common method of spreading for many current malware families. For information on disabling Autorun functionality, please see the following article:
Threat behavior
Win32/Renocide is a family of worms that spread via local, removable, and network drives and also using file sharing applications. They have IRC-based backdoor functionality, which may allow a remote attacker to execute commands on the affected computer.
Installation
When run, Worm:Win32/Renocide creates a copy of itself using various file names. Some of the file names it has been known to use are:
- <system folder>\alokium.exe
- <system folder>\cftm.exe
- <system folder>\cftmem.exe
- <system folder>\csrcs.exe
- <system folder>\ctfn.exe
- <system folder>\ctfnom.exe
- <system folder>\ctfnon.exe
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
It executes its copy and deletes itself using a batch file that it drops. The batch file may have one of the following file names:
- %Temp%\s.bat
- %Temp%\suicide.bat
Worm:Win32/Renocide also creates the following files:
- <system folder>\autorun.inf
- <system folder>\autorun.in
- <system folder>\autorun.i
- <system folder>\<marker file>, which has varying file names, such as "kh<random letter>" or "ctf"; this file serves as an infection marker
It also creates the following registry entries so that it automatically runs every time Windows starts:
In subkeys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Sets value: "csrcs"
With data: "<system folder>\csrcs.exe"
or
Sets value: "ctfmam"
With data: "<system folder>\cftmem.exe"
or
Sets value: "ctfnom"
With data: "<system folder>\ctfnom.exe"
or
Sets value: "ctfn"
With data: "<system folder>\ctfn.exe"
or
Sets value: "ctfm"
With data: "<system folder>\ctfm.exe"
or
Sets value: "ctfmom"
With data: "<system folder>\ctfnom.exe"
It also modifies the configuration data for the Winlogon service so that it automatically runs when "explorer.exe" runs:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "explorer.exe <malware name>"
It also stores its configuration data in the registry:
In subkey: HKLM\Software\Microsoft\DRM\amty
Sets value: "a"
With data: "1" or "0" depending on whether it is able to spread via USB (see the IRC command "UsbSpread")
Sets value: "b"
With data: "1" or "0" depending on the state of the netbios scanner (see the IRC command "netbios")
Sets value: "bn"
With data: "<time>", where <time> is the netbios scanning time, written in encrypted form (see the IRC command "netbios")
Sets value: "dreg"
With data: "<year>", where <year> is the year of infection, written in encrypted form
Sets value: "eggol"
With data: "1" or "0" depending on the state of the logger (see the IRC command "logger")
Sets value: "exp1"
Sets value: "fix"
With data: "<label>", where <label> is the label of the fixed drive from where the malware is running from
Sets value: "fix1"
With data: "1" if the malware is running on a fixed drive
Sets value: "ilop"
Sets value: "input"
With data: "<data>", where <data> is input data needed by a component of the malware (see the IRC command "plugin")
Sets value: "input2"
Sets value: "kin"
With data: "<IP address>", where <IP address> is the external IP of the host, written in encrypted format
Sets value: "kiu"
With data: "<country>", where <country> is the country of the host, written in encrypted format
Sets value: "output"
With data: "<data>", where <data> is generated by a component of the malware (see the IRC command "plugin")
Sets value: "regexp"
Sets value: "rem"
With data: "<label>", where <label> is the label of the removable drive from where the malware is running from
Sets value: "rem1"
With data: "1", if the malware is running on a removable drive
Sets value: "su"
With data: "<time>", where <time> is the USB infection time, written in encrypted format (see the IRC command "UsbSpread")
It may write other registry entries with various values. Depending on the variant of Win32/Renocide, the registry keys described above may vary in meaning and intended purpose.
Spreads via...
Local, removable, and network drives
Win32/Renocide infects local, removable, and network drives by placing the following files in the root of these drives:
- autorun.inf - designed to automatically run the malware copies when the drive is accessed and Autorun is enabled
- csrcs.exe - copy of itself
- alokium.exe - copy of itself
- <random name>.exe - copy of itself
- <marker file> - file used to indicate infection of the drive; the file has varying names and no extension, for example, "ecdf4"
It looks for network shares by scanning all IPs in the local subnet 255.255.255.0 or 255.255.0.0, depending on the variant and attacker commands.
File-sharing applications
Win32/Renocide checks if the following file-sharing programs are installed in the computer:
- Ares
- DC++
- Emule
- FrostWire
- Kazaa
- LimeWire
- Shareaza
It also checks if the archiving program WinRAR is installed in the computer. If not, it downloads a copy of the 7Zip archiving program, which it usually saves as the following:
- <system folder>\RegShellSM.exe
Win32/Renocide then creates archived copies of itself, which it places in the shared folders of the above file-sharing applications. The file names of the archives are created by getting the names of the top 100 downloaded game or program torrents from the following websites:
- thepiratebay.com
- isohunt.com
One of the following suffixes is then added to 50 random titles:
- .Crack
- .Activator
- .Keygen
- .Validator
- -Razor1911
- -RELOADED
- -KeyMaker
The file-sharing application's shared folder may look similar to the following:
Payload
Modifies computer settings
Files detected as Worm:Win32/Renocide modify some computer settings, such as the following:
- Modify firewall settings to bypass Windows Firewall:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "<system folder>\<malware name>"
With data: "<system folder>\<malware name>:*:enabled:ipsec"
- Some variants modify Security Center settings to disable antivirus notifications:
In subkey HKLM\SOFTWARE\Microsoft\Security Center\Svc
Sets Value: "AntiVirusOverride"
With data: "1"
- Some variants disable the LUA (Least Privileged User Account), also known as the "Administrator in Admin Approval Mode" user type:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "0"
Allows backdoor access and control
Win32/Renocide has IRC-based backdoor functionality, which may allow a remote attacker to execute commands on the affected computer. It may run the following commands:
4iplocales - get the IP address of up to four network adapters
Closewintitle - kill a process with a given Windows Title (exact match)
Cometerharakiri - remove itself
Configuration - get various information regarding the IRC connection, authentication, and infection stage
Country - get the geolocation of the computer (specifically the country)
Currentip - get the external IP of the computer
DisableIRC - terminate IRC connection, the reconnection flag is disabled
Dlplugin - download file
DlRegExec - download and execute file
Dos - execute a command using the command prompt
DriveInfo - list all of the computer's drives and their statuses
Fileattrib - get the attributes of a specific file
FileDelete - delete a specific file
Filelist - list the file from a given folder based on a specific filter
Filesize - get the size of a specific file
Filetime - get the Modifies/Created/Accessed timestamp of a specific file
Filevercion - get the version information of a given file
Getallwintitles - get the title of all windows
Getwintitles - get the title of all visible windows
Idletime - get the system's idle time
Ip - get the external IP address of the computer (similar with "Currentip", this is an alternate method)
IP? - get the external IP address of the computer
Ips - get all IP addresses of the computer, both external and internal
Join - join a specific IRC channel
Keepup - execute commands from hardcoded URLs
KillProcess - kills a specific process
Leave - leave the IRC channel
Logger - enable or disable logging of computer information
Msgsplit
Msnlifecontacts - list the files from %APPDATA%\Microsoft\Messenger based on a specific filter
Netbios - interact with the Netbios scanning plugin: enable or disable the scanner, start or stop a scan, get duration of scan
Netbioscopy - upload files to another network computer using Netbios
Nick - process IRC nick command
OsInfo - get the OS version, build, service pack, language information
Pcinfo - retrieve username and computername of the computer
Pclookup - command used by the attacker to look for another infected computer with a specific user name or computer name
Ping - emulate a ping command
Plugin - the attacker may upload an encrypted AutoIT script (using "Dlplugin") and use this command to compile, execute and send back its results
Process - check if a process is running
ProcessList - get a list of all running process names and their PIDs
Reconnect - terminate IRC connection; the reconnection flag remains enabled
Refreship - recompute the external IP address
Reg - add, delete, read, or edit specific registry keys
Regcleanharakiri - delete registry key with the malware configuration data (see the Installation section)
Regread - read from malware registry key config data; the registry value to be read is specified by the attacker
Regstartupspy - has 2 subcommands:
View - list all values stored in the following registry keys:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Runservices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Runservices
Delete - kill the security process "TeaTimer.exe", and delete an attacker-supplied registry value from the registry keys below :
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Runservices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Runservices
Setupirc - update the botnet connection details: sever IP address, server port, IRC channel, and so on
Shellexecute - execute a given file specified by the attacker
StringClosewintitle - kill all processes with window titles that match a specific pattern
Uptime - get system uptime
UsbSpread - interacts with the USB infection plugin: start or stop spreading via USB, get duration of drive infection
Userinfo - get user name and computer name of the computer (same as "Pcinfo")
Vercion - get malware version
Files detected as Worm:Win32/Renocide contain hardcoded URLs. Each of these URLs point to a plain text file with commands to be executed by the malware. These are the same commands that can be received through IRC but with different keywords.
Once the text file is downloaded, the commands are executed automatically.
The command keywords are not in human-readable form but instead use garbage-like keywords, for example, "M8Y77V69S8488S689O99Q" is the command to download a file from a given URL. The arguments to the commands are also encrypted.
Terminates process
Win32/Renocide terminates the security program "TeaTimer.exe".
Downloads other malware
In the wild, variants of Win32/Renocide have also been observed to download and execute variants of TrojanDownloader:Win32/Renos.
Generates clicks for certain websites
Some variants of Win32/Renocide have a trojan click-jacking functionality. That is, some variants may click on links to certain websites.
Analysis by Marian Radu
Prevention
Take the following steps to help prevent infection on your computer:
- Enable a firewall on your computer.
- Get the latest computer updates for all your installed software.
- Use up-to-date antivirus software.
- Limit user privileges on the computer.
- Use caution when opening attachments and accepting file transfers.
- Use caution when clicking on links to webpages.
- Avoid downloading pirated software.
- Protect yourself against social engineering attacks.
- Use strong passwords.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows Internet Connection Firewall.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. It is important to install updates for all the software that is installed in your computer. These are usually available from vendor websites.
You can use the Automatic Updates feature in Windows to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software, such as Microsoft Security Essentials, that is updated with the latest signature files. For more information, see http://www.microsoft.com/windows/antivirus-partners/.
Limit user privileges on the computer
Starting with Windows Vista and Windows 7, Microsoft introduced User Account Control (UAC), which, when enabled, allowed users to run with least user privileges. This scenario limits the possibility of attacks by malware and other threats that require administrative privileges to run.
You can configure UAC in your computer to meet your preferences:
Use caution when opening attachments and accepting file transfers
Exercise caution with email and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.
Use caution when clicking on links to webpages
Exercise caution with links to webpages that you receive from unknown sources, especially if the links are to a webpage that you are not familiar with, unsure of the destination of, or suspicious of. Malicious software may be installed in your computer simply by visiting a webpage with harmful content.
Avoid downloading pirated software
Threats may also be bundled with software and files that are available for download on various torrent sites. Downloading "cracked" or "pirated" software from these sites carries not only the risk of being infected with malware, but is also illegal. For more information, see 'The risks of obtaining and using pirated software'.
Protect yourself from social engineering attacks
While attackers may attempt to exploit vulnerabilities in hardware or software to compromise a computer, they also attempt to exploit vulnerabilities in human behavior to do the same. When an attacker attempts to take advantage of human behavior to persuade the affected user to perform an action of the attacker's choice, it is known as 'social engineering'. Essentially, social engineering is an attack against the human interface of the targeted computer. For more information, see 'What is social engineering?'.
Use strong passwords
Attackers may try to gain access to your Windows account by guessing your password. It is therefore important that you use a strong password – one that cannot be easily guessed by an attacker. A strong password is one that has at least eight characters, and combines letters, numbers, and symbols. For more information, see http://www.microsoft.com/protect/yourself/password/create.mspx.
System changes
The following system changes may indicate the presence of this malware:
- The presence of the following files:
<system folder>\alokium.exe - The presence of the following registry modifications:
In subkeys:
<system folder>\cftm.exe
<system folder>\cftmem.exe
<system folder>\csrcs.exe
<system folder>\ctfn.exe
<system folder>\ctfnom.exe
<system folder>\ctfnon.exe
%Temp%\s.bat
%Temp%\suicide.bat
<system folder>\RegShellSM.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Value: "csrcs"
Data: "<system folder>\csrcs.exe"
or
Value: "ctfmam"
Data: "<system folder>\cftmem.exe"
or
Value: "ctfnom"
Data: "<system folder>\ctfnom.exe"
or
Value: "ctfn"
Data: "<system folder>\ctfn.exe"
or
Value: "ctfm"
Data: "<system folder>\ctfm.exe"
or
Value: "ctfmom"
Data: "<system folder>\ctfnom.exe"
Subkey: HKLM\Software\Microsoft\DRM\amty
Follow us
