Microsoft Discusses Malicious Software ‘Renocide’

Over the 3rd-week of March 2011, Microsoft said that Win32/Renocide was the fourth most-dangerous malware within the history of automated software after it was first detected during 2005 if not earlier.

States the company, Win32/Renocide represents a virus that creates backdoor facilities while proliferating online through different means, say detachable drives. Soon after getting planted, it drops its own replicas on every detachable drive present, presumably after giving random names to the files. Another way Renocide proliferates is by scanning other computers within the network to which the initially infected PC belongs and installing an autorun.inf file that Windows PCs mechanically run following the drive's insertion.

Moreover, Renocide as well proliferates by abusing file-sharing application. For that, it takes down the hundred songs that are most popular from certain torrent websites and then selects fifty of them. Thereafter it opens one fresh folder within the P2P software where it loads its own copies and names the files as P2P downloads. It also adds a supplement called "Keymaker," "-RELOADED," "Razor1911," "crack," "Validator," "Keygen" or "Activator."

Another file, which Renocide creates, is called Readme.txt that consists of one of the above supplementary names. Subsequently, the malware employs 7zip or WinRAR for crafting one compressed file where it places its own copy along with the Readme.txt file.

Renocide also performs several backdoor activities as it interacts through IRC. Incidentally, the virus accepts more than 50 orders so it can run. One of them is the "cometerharakiri" command that makes it eliminate every trace of its contamination. Additionally, the virus runs instructions via text files after downloading those files from the Net. Meanwhile, for different samples of the virus there are different web addresses incorporated.

Discloses Microsoft that with a large number of computers affected with Renocide, it appears that the botnet's age is many years old. During the 1st-week of March 2011, the malware reportedly infected 123,413 computers, with the number still counting.

Finally, Renocide merely comes after the Rimecud malware at 200,267, Taterf (160,632) and Sality (160,579) that occupy the first, second and third positions respectively insofar as the number of computers infected are concerned, Microsoft reveals.

Related article: Microsoft Patches Live OneCare to Tackle Quarantined E-Mails

» SPAMfighter News - 3/26/2011