Home / malware TrojanDownloader:Win32/Bredolab.AB
First posted on 10 February 2010.
Source: SecurityHomeAliases :
TrojanDownloader:Win32/Bredolab.AB is also known as TROJ_BREDOLAB.ZB (Trend Micro), Bredolab!a (McAfee), Troj/Bredo-AC (Sophos), Trojan.Bredolab (Symantec).
Explanation :
TrojanDownloader:Win32/Bredolab.AB is a trojan that connects to a remote server to download and execute additional files.
Top
TrojanDownloader:Win32/Bredolab.AB is a trojan that connects to a remote server to download and execute additional files. Installation TrojanDownloader:Win32/Bredolab.AB may arrive in the system as a file with a Microsoft Excel icon, for example: In the wild, we have observed TrojanDownloader:Win32/Bredolab.AB being distributed with the following file names:
rarype32.exe
UPS_invoice_NR76234.exe
UPS_invoice_NR34712.exe
DHL_Label_Nr46912.exe
DHL_Label_Nr13435.exe
DHL_Label_Nr4592.exe
DHL_Label_Nr27481.exe
DHL_Label_Nr8743.exe
DHL_invoice_NR75898.exe Upon execution, it drops a copy of itself to the Startup folder as %User Startup%\rarype32.exe. Note: %User Startup% is the current user's Startup folder, which is usually C:\Documents and Settings\{user name}\Start Menu\Programs\Startup.
TrojanDownloader:Win32/Bredolab.AB may inject itself into the 'svchost.exe' and 'explorer.exe' processes.
It then deletes the original executable after execution. Payload Downloads and executes arbitrary filesTrojanDownloader:Win32/Bredolab.AB attempts to connect to a remote server to report that it has infected the system and to download arbitrary files, including additional malware. It has been observed contacting a remote host at dollardream.ru (IP: 193.104.94.77) for this purpose. Additional informationFor more information on Win32/Bredolab and for some examples of malware that it has been observed to download in the wild, please see the Win32/Bredolab family description, elsewhere in our encyclopedia.
Analysis by Wei LiLast update 10 February 2010
