Virus Detail

Win32/Bredolab.SU

Date Published:
29 Oct 2009

Last Updated:
29 Oct 2009

Threat Assessment

Overall Risk: Very Low

Wild: Low

Destructiveness: Low

Pervasiveness: None

Characteristics

Type : Trojan

Category : Win32

Also known as: Bredolab.gen.a (McAfee), Mal/Behav-340 (Sophos), TrojanDownloader:Win32/Bredolab.X (MS OneCare)

Immediate Protection Info

Signature	Product	Removal Instructions
35.1.7088	CA Antivirus 2007	View
35.1.7088	eTrust Antivirus v7/8*	View
7.x/7088	eTrust EZ Antivirus 7.x	View
35.1.7088	Vet 7	View

Tools

Signature file information

Scan for viruses

Submit a Virus Sample

Description

Method of Infection

Payload

Description

Win32/Bredolab.SU is a trojan that downloads malicious files from a remote server and executes them on the infected machine. It arrives as an attachment to an email message that uses social engineering techniques to encourage recipients to open it.

Method of Infection

Win32/Bredolab.SU usually arrives as a malicious attachment on a spammed email message masquerading as a password reset confirmation email from Facebook.

The email contains the following Subject:

"Facebook Password Reset Confirmation"

The email contains the Body:

-----------------------------------------------------------------------------

Hey ,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
The Facebook Team

-----------------------------------------------------------------------------

The email contains a malicious zipped file attachment with the filename Facebook_Password_{random-characters}.zip. This file is detected by CA as a Win32/Bredolab.SU.

Below is an image of a sample email.

Payload

Win32/Bredolab.SU connects to the malicious server "mmsfoundsystem.ru" to download other malicious files. The malware saves the downloaded files in the Windows %Temp% folder as wpv{Random Numbers}.exe and then executes them. The downloaded files could vary, depending on what is on the malicious server at the time of download.

The trojan drops two dlls: %WINDOWS%\dawmcl.dll and %SYSTEM%\beghghk.dll. It hooks the second dll into the iexplore.exe process.

It creates a file "sdra64.exe" in %APPDATA% folder and then appends the location of this file to the following registry entry so that it runs every time Windows starts:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

"USERINIT" = "%SYSTEM%\Userinit.exe, %APPDATA%\sdra64.exe"

The Trojan also hooks itself into the explorer.exe process and starts the svchost.exe process.

Note:

%System% is a variable location. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95, 98 and ME is C:\Windows\System; and for XP and Vista is C:\Windows\System32. %Temp% is a variable location similar to %System%. The default location is C:\Windows\Temp. %Appdata% is a variable similar to %System%. The default location is C:\Documents and Settings\{Username}\Application Data.

Analysis by Krishna Kona