March 2011 release of Malicious Software Removal Tool (MSRT), now includes Win32/Renocide detection and cleaning capabilities.
"Win32/Renocide is a family of worms that spread via local, removable, and network drives and also by means of file sharing applications. It infects the network by scanning the local network using the subnet mask 255.255.0.0 and looking for writeable shares where it can copy itself and an autorun.inf file. It also uses the NETBIOS protocol to look for machines in the local network where it can plant copies of itself," explains Microsoft.
To infect computers beyond the local network, it plants copies of itself in the shared folders of popular file sharing applications. This step also involves social engineering techniques to maximize infection success. This is done by using enticing names for its copies in the shared folders, and to make sure this is always the case.
It uses the following process:
- Access some popular torrent sites and download the top 100 titles of popular games and/or applications.
- Randomly pick 50 titles.
- Append to the titles one of the following suffixes:
- Create a Readme.txt file that contains this generated name.
- Use WinRAR or 7zip to create an archive of itself copied with the same generated name and the above Readme.txt file.
- Place the archive in the shared folder of the file sharing application, again using the generated name.
It's worth mentioning that if the host doesn't have WinRAR archiver installed, it tries to download a copy of the 7zip archiver from its own servers.