Win32/TrojanDownloader.Bredolab [Threat Name] go to Threat
Win32/TrojanDownloader.Bredolab.AA [Threat Variant Name]
| Category | trojan |
| Size | 51200 B |
| Signature database version | 3981 (Apr 01, 2009) |
| Aliases | Trojan.Win32.Inject.abnx (Kaspersky) |
| TrojanDownloader:Win32/Bredolab.X (Microsoft) | |
| Spy-Agent.bw (McAfee) |
Short description
The trojan tries to download several files from the Internet. The files are then executed.
Installation
When executed, the trojan copies itself into the following location:
- %system%\wbem\grpconv.exe (51200 B)
The following files are deleted:
- %system%\grpconv.exe
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
- "RunGrpConv" = 1
The trojan creates and runs a new thread with its own program code within the following processes:
- explorer.exe
Other information
The trojan contains a list of (1) URLs.
It tries to download several files from the addresses.
The HTTP protocol is used.
These are stored in the following locations:
- %temp%\wpv%variable%.exe
A string with variable content is used instead of %variable% .
The files are then executed.
The trojan may create and run a new thread with its own program code within any running process.
The trojan creates the following files:
- %appdata%\wiaserva.log
The trojan creates copies of the following files (source, destination):
- %system%\ntdll.dll, %temp%\~TM%variable%.tmp
- %system%\kernel32.dll, %temp%\~TM%variable%.tmp
A string with variable content is used instead of %variable% .
The trojan launches the following processes:
- svchost.exe