logo of system protector
  • Home
  • Guides
  • Tips & Tricks
  • Reviews
  • Products
  • Sitemap
  • Contacts

    • Latest in trend:

    » viruses

    W32/Renocide

    What is W32/ Renocide?

    How does it affect your PC?

    How to remove W32/Renocide?

     

    What is W32/Renocide?

    Discovered on 5th December 2008, W32/Renocide is a worm that spreads via removable media using "autorun.inf", and also downloads additional malware. Its length varies.

    Aliases

    • » Win32/Packed.Autoit.Gen (NOD32)
    • » Worm:AutoIt/Renocide.gen!A (Microsoft)

    W32/Renocide is a worm that spreads via removable media using "autorun.inf", and also downloads additional malware. Upon execution, this worm copies itself to the following location.

    • %WinDir%\system32\csrcs.exe

    It also creates the following file.

    • %WinDir%\system32\autorun.inf

    It then connects to whatismyip.com to get the victim machine's IP address.

     

    How does it affect your PC?

    This worm copies itself to any removable media connected to the system and also creates an "autorun.inf" to facilitate its execution when connected to another computer. Later it connects to various websites and downloads additional malware files.

    The following registry keys added:

    • HKEY_LOCAL_MACHINE\SOFTWARE\ESET\Nod\CurrentVersion\Modules\AMON\Settings\Config000\Settings
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\amty
    • HKEY_LOCAL_MACHINE\SOFTWARE\xcn

    The following registry keys deleted:

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system

    The worm creates the following registry values as part of its payload:

    • HKEY_LOCAL_MACHINE\SOFTWARE\ESET\Nod\CurrentVersion\Modules\AMON\Settings
    • \Config000\Settings "exc"
    • HKEY_LOCAL_MACHINE\SOFTWARE\ESET\Nod\CurrentVersion\Modules\AMON\Settings
    • \Config000\Settings "exc_num"
    • HKEY_LOCAL_MACHINE\SOFTWARE\ESET\Nod\CurrentVersion\Modules\AMON\Settings
    • \Config000\Settings "media_network"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\amty "dreg"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\amty "eggol"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\amty "exp1"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\amty "fix"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\amty "ilop"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\amty "regexp"
    • HKEY_LOCAL_MACHINE\SOFTWARE\xcn "reg"
    • HKEY_LOCAL_MACHINE\SOFTWARE\xcn "unreg"

    It deletes the following registry keys

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDriveTypeAutoRun"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum "{0DF44EAA-FF21-4412-828E-260A8728E7F1}"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum "{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum "{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "dontdisplaylastusername"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "legalnoticecaption"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "legalnoticetext"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "shutdownwithoutlogon"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "undockwithoutlogon"

    The following registry values are modified

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden"

    Old data: 01, 00, 00, 00
    New data: 02, 00, 00, 00

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon "Shell"
      Old data: Explorer.exe
      New data: Explorer.exe csrcs.exe

     

    How to remove W32/Renocide?

    It is recommended to always use latest DATs and engine. This threat will be cleaned if you have this combination.

    Additional Windows ME/XP removal considerations