YouTube Messaging used to spread Trojan
SonicWALL UTM Research team observed a new Trojan being spammed starting today Friday, January 09, 2009 via YouTube messaging service. The YouTube message contains a link that claims to be a Video file but points to a new Renos Trojan.
The Trojan is packed with UPX and it performs following activity:
- Deletes the original copy of the file
- Downloads malicious files from following URLs:
- Sends POST requests to following URLs:
The YouTube message looks like following:
The Trojan is also known as Trojan-Downloader.Win32.Renos [Ikarus], TrojanDownloader:Win32/Renos.gen!BB [Microsoft], and TR/Crypt.XPACK.Gen [AntiVir]
SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Renos_21 (Trojan) signature.