TROJ_BREDOLAB.DD

This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users. It may be unknowingly downloaded by a user while visiting malicious websites.

Arrival Details

This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This Trojan drops the following copies of itself into the affected system:

• %User Startup%\{Random file name}.exe

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.)

It drops the following non-malicious file:

• %Application Data%\{Random File Name}.dat

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

It injects itself into the following processes running in the affected system's memory:

• EXPLORER.EXE

Other Details

Based on analysis of the codes, it has the following capabilities:

• Decrypts part of its data to be injected in SVCHOST.EXE
• Send request to http://{BLOCKED}o.ru/new/controller.php?action=bot&entity_list=&first=0&rnd={BLOCKED}&uid=1&guid=2847846060
• Decrypt and execute downloaded file
• Notify http://{BLOCKED}o.ru/new/controller.php?action=report&uid=1&guid=2847846060&{BLOCKED}d=123&entity=1259351490:unique_start;1271368047:unique_start;1278753990:unique_start about successful infection