Home / malware TrojanDropper:Win32/Bredolab
First posted on 08 October 2010.
Source: SecurityHomeAliases :
TrojanDropper:Win32/Bredolab is also known as Dropper/Wlord.23552.C (AhnLab), W32/Dropper.AUTG (Authentium (Command)), Trojan-Dropper.Win32.Wlord.gen (Kaspersky), W32/Suspicious_Gen.DPO (Norman), Trojan.DR.Wlord.ADD (VirusBuster), Dropper.Generic.ARPJ (AVG), Trojan.Generic.IS.507720 (BitDefender), Trojan.Botnetlog.9 (Dr.Web), Win32/TrojanDownloader.Bredolab.AA (ESET), Trojan-Dropper.Win32.Wlord (Ikarus), Trojan-Dropper.Win32.Wlord.gen (Sunbelt Software), TROJ_BREDOLAB.CZ (Trend Micro).
Explanation :
TrojanDropper:Win32/Bredolab is a trojan that injects another malware code into its process. The other malware may be detected as TrojanDownloader:Win32/Bredolab.X.
Top
TrojanDropper:Win32/Bredolab is a trojan that injects another malware code into its process. The other malware may be detected as TrojanDownloader:Win32/Bredolab.X. Installation TrojanDropper:Win32/Bredolab may be present in the computer as the following file:grpconv.exe Payload Drops other malware Upon execution, TrojanDropper:Win32/Bredolab creates a suspended process in its own memory space where it injects a binary file that is detected as TrojanDownloader:Win32/Bredolab.X. It then resumes execution of this process, allowing TrojanDownloader:Win32/Bredolab.X to run. Copies system files As part of its malware routine, TrojanDropper:Win32/Bredolab copies the following legitimate system DLL files into the Temporary Files folder:<system folder>\kernel32.dll - copied as %temp%\~tme.tmp <system folder>\ntdll.dll - copied as %temp%\~tmf.tmp Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Analysis by Marianne MallenLast update 08 October 2010
