YouTube Messaging used to spread Trojan

SonicWALL UTM Research team observed a new Trojan being spammed starting today Friday, January 09, 2009 via YouTube messaging service. The YouTube message contains a link that claims to be a Video file but points to a new Renos Trojan.

The Trojan is packed with UPX and it performs following activity:

• Deletes the original copy of the file
• Downloads malicious files from following URLs:
  • xxxx://89.149.206.82/balamutra.php
  • xxxx://89.149.207.114/cfg/(REMOVED)/video20879.cfg
  • xxxx://94.247.2.117/cfg/(REMOVED)/video20879.cfg
  • xxxx://69.46.16.99/lr/11.php?(REMOVED)
  • xxxx://69.46.16.99/lr/11.php?(REMOVED)
  • xxxx://94.247.2.112/fanta/(REMOVED)
  • xxxx://69.46.16.99/lr/12.php?(REMOVED)
• Sends POST requests to following URLs:
  • xxxx://89.149.236.200/(REMOVED)/t.gif
  • xxxx://74.50.99.129/1.php

The YouTube message looks like following:

The Trojan is also known as Trojan-Downloader.Win32.Renos [Ikarus], TrojanDownloader:Win32/Renos.gen!BB [Microsoft], and TR/Crypt.XPACK.Gen [AntiVir]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Renos_21 (Trojan) signature.