Win32/TrojanDownloader.Bredolab [Threat Name] go to Threat

Win32/TrojanDownloader.Bredolab.AA [Threat Variant Name]

Category trojan
Size 51200 B
Detection created Apr 01, 2009
Signature database version 3981
Aliases Trojan.Win32.Inject.abnx (Kaspersky)
  TrojanDownloader:Win32/Bredolab.X (Microsoft)
  Spy-Agent.bw (McAfee)
Short description

The trojan tries to download several files from the Internet. The files are then executed.

Installation

When executed, the trojan copies itself into the following location:

  • %system%\­wbem\­grpconv.exe (51200 B)

The following files are deleted:

  • %system%\­grpconv.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "RunGrpConv" = 1

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe
Other information

The trojan contains a list of (1) URLs.


It tries to download several files from the addresses.


The HTTP protocol is used.


These are stored in the following locations:

  • %temp%\­wpv%variable%.exe

A string with variable content is used instead of %variable% .


The files are then executed.


The trojan may create and run a new thread with its own program code within any running process.


The trojan creates the following files:

  • %appdata%\­wiaserva.log

The trojan creates copies of the following files (source, destination):

  • %system%\­ntdll.dll, %temp%\­~TM%variable%.tmp
  • %system%\­kernel32.dll, %temp%\­~TM%variable%.tmp

A string with variable content is used instead of %variable% .


The trojan launches the following processes:

  • svchost.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.