TROJ_BREDO.ASH

This Trojan executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

It deletes itself after execution.

Installation

This Trojan drops and executes the following files:

• %System%\mlcqdcsk.dll - detected by Trend Micro as TROJ_DLOADR.TLG

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Download Routine

This Trojan connects to the following website(s) to download and execute a malicious file:

• http://{BLOCKED}.{BLOCKED}.220.52/lol2.exe - detected by Trend Micro as TROJ_FAKEAV.SAF
• http://{BLOCKED}.{BLOCKED}.220.52/pod.exe - detected by Trend Micro as WORM_AUTORUN.CFH
• http://{BLOCKED}.{BLOCKED}.220.52/spm.exe - also detected as TROJ_BREDO.ASH

It saves the files it downloads using the following names:

• %System Root%\Documents and Settings\Administrator\Local Settings\Temp\spm.exe - also detected as TROJ_BREDO.ASH

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Other Details

This Trojan connects to the following possibly malicious URL:

• http://{BLOCKED}myqeg.com/1017000413
• http://{BLOCKED}.{BLOCKED}.193.20/service/listener.php?affid=50039
• http://{BLOCKED}.{BLOCKED}.193.20/service/scripts/files/aff_50039.dll
• http://{BLOCKED}.{BLOCKED}.193.20/service/listener.php?affid=50039
• http://{BLOCKED}.{BLOCKED}.88.10//srv
• http://{BLOCKED}.{BLOCKED}.88.10//dll
• http://{BLOCKED}.{BLOCKED}.193.20/service/scripts/files/aff_50039.dll
• http://{BLOCKED}.{BLOCKED}.193.138/xxxx_2/MDUwNTZjMDA4fDUwMDM5fDB8M3wxZTd8NS4xIDI2MDAgU1AzLjB8MHwwfHBybjE0

It deletes itself after execution.