Home / malware

PDF

Trojan.Downloader.Bredolab.AM

First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.Downloader.Bredolab.AM is also known as Win32/PSW.YahooPass.AF, trojan;, Trojan-Downloader:W32/Bredolab.IH;, PWS:win32/YahooPass.H;, TSPY_HOOYPASS.AF.

Explanation :

This malware has a word document icon in oder to lure the user into opening it.
When executed it will drop a .dll file in %SYSTEM32% folder with a random name (e.g:for the analyzed sample, the .dll name was frjacnwrm.dll) and registers it as a BHO by adding / modifying the following registry keys:

HKLMSOFTWAREClassesCLSID
(Default) -> Microsoft Online Helper!

HKLMSOFTWAREClassesCLSID\InProcServer32
(Default) -> %SYSTEM32%frjacnwrm.dll

HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects
(Default) -> Microsoft Online Helper!

Next it will change Internet Explorer's settings by altering the next registry key:
HKCUSoftwareMicrosoftInternet ExplorerMain
@#$E$@#n%^a&^%b#$%l^%$e^& %^&B#$%r&^%o$%w@#$s^%$e&*r(*& &*E*^&x$^%t%$#e@#$n&^%s#%i*^o$%^n(&*s%^& -> yes
(Enable Browser Extensions -> yes)

Then it wil drop a file named sys.bat that will be used to delete itself.

The dropped .dll will be used to monitor user's activity and the gathered data will be sent via http post to the following address: http://[removed]idbredov.ru

Last update 21 November 2011

 

TOP