Renos, the new Zlob?

Cleaned up an infected computer yesterday- the usual scam anti-spyware stuff.

The Trojan responsible was Renos, which seems to work along the sames line as the familiar Zlob:

http://www.jahewi.nl/lists/fakecodecs/graveyard.html

ewido+Ad-Aware+Spybot Search & Destroy in safe mode cleaned up the infection nicely.

(ewido got Renos, and Spybot caught the scam anti-spyware .exe and registry entires- which proves it’s still a valuable tool, despite some recent claims to the contrary.)

Watch out for these Renos Trojans, because detection of new variants is quite poor:

http://sunbeltblog.blogspot.com/2007/04/protectwin-dot-com-hijacks-user.html

Complete scanning result of “setup.exe”, received in VirusTotal at 04.09.2007, 08:23:40 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.4.7.0 04.09.2007 no virus found
AntiVir 7.3.1.48 04.08.2007 DR/Delphi.Gen
Authentium 4.93.8 04.08.2007 no virus found
Avast 4.7.936.0 04.08.2007 no virus found
AVG 7.5.0.447 04.08.2007 no virus found
BitDefender 7.2 04.09.2007 no virus found
CAT-QuickHeal 9.00 04.06.2007 no virus found
ClamAV devel-20070312 04.09.2007 no virus found
DrWeb 4.33 04.08.2007 no virus found
eSafe 7.0.15.0 04.08.2007 no virus found
eTrust-Vet 30.7.3549 04.06.2007 no virus found
Ewido 4.0 04.08.2007 no virus found
FileAdvisor 1 04.09.2007 no virus found
Fortinet 2.85.0.0 04.09.2007 no virus found
F-Prot 4.3.1.45 04.08.2007 no virus found
F-Secure 6.70.13030.0 04.09.2007 no virus found
Ikarus T3.1.1.3 04.09.2007 no virus found
Kaspersky 4.0.2.24 04.09.2007 not-virus:Hoax.Win32.Renos.hm
McAfee 5003 04.06.2007 no virus found
Microsoft 1.2405 04.09.2007 no virus found
NOD32v2 2174 04.09.2007 no virus found
Norman 5.80.02 04.05.2007 no virus found
Panda 9.0.0.4 04.08.2007 no virus found
Prevx1 V2 04.09.2007 no virus found
Sophos 4.16.0 04.06.2007 Mal/Binder-C
Sunbelt 2.2.907.0 04.07.2007 no virus found
Symantec 10 04.09.2007 no virus found
TheHacker 6.1.6.088 04.09.2007 no virus found
VBA32 3.11.3 04.08.2007 no virus found
VirusBuster 4.3.7:9 04.08.2007 no virus found
Webwasher-Gateway 6.0.1 04.09.2007 Trojan.Delphi.Gen

(ewido got Renos, and Spybot caught the scam anti-spyware .exe and registry entires- which proves it's still a valuable tool, despite some recent claims to the contrary.)

I wonder if this scam anti-spyware would have been detected with the RogueRemover tool, available here http://www.malwarebytes.org/rogueremover.php commonly used after a Zlob infection ?

Yes, it would: SpyLocked was the culprit.

Version 118 (4/6/07)

[Added]
No applications were added.

[Updated]
Rogue.Infector, SpyLocked, SpywareLocked

http://www.malwarebytes.org/rogueremover_database_history.php

In this case Spybot won the race by two days though:

2007-04-04 Keylogger ++ A-Spy 2.11 ++ Palsol ++ CyberSpy ++ AYOSpy Malware ++ AllInOneKeylogger + SpyDawn ++ SpyLocked + Winsoftware.WinAntiVirusPro2006 + PestCapture + VirtuMonde Trojan + Zlob.VideoAccessActiveXObject ++ Zlob.MovieCommander + Zlob.SiteTicket + Zlob.HQCodec + Zlob.PornPassManager + Zlob.VideoKeyCodec + Zlob.VideoBox + AnotherBot + Daugeru + Win32.Bancos.zm ++ Banker.AHY ++ Win32.Small.cnd Total: 372150 fingerprints in 64388 rules for 2787 products.

http://www.spybot.info/en/index.html