Home / malware Trojan.Downloader.Bredolab.CJ
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.Downloader.Bredolab.CJ is also known as Win32:Bredolab-BL, Trojan.Win32.Bredolab, Packed.Win32.Krap.x, TrojanDownloader:Win32/Bredolab.AB, Trj/Krap.Y.
Explanation :
This malware has a word document icon in oder to lure the user into opening it.
It copies itself in %Programs%Startup
arype32.exe in order to start along with Windows and removes traces of installation on the machine by deleting the original file which generated the infection.
Trojan.Downloader.Bredolab.CZ has 2 components:
- packed main executable
- downloader (which is never written on disk directly but is injected into other processes)
The trojan creates a custom unique mutex in order to check if the system is already infected. Also it inject itself into a running version of "explorer.exe"
This malware is known for downloading rogue antiviruses (e.g. PC Antispyware 2010): software products which once installed will generate alerts of fake infections and urge the user to fix those issues. The user is informed that in order to clean his computer of the threats, he needs to buy a license of that specific AV. In reality the product even after being licensed/registered will not delete any file or otherwise fix any of the detected issues.
The downloader is a standard downloader connecting, in this case, to dollardream.ru and requesting a download. The server send encrypted executable which is decrypted by the downloader and executed on the infected machine. Usually the payload is represented by rogue antiviruses.Last update 21 November 2011