TrojanDownloader :Win32/Bredolab

Original issue date: October 29, 2009

It has been observed TrojanDownloader:Win32/Bredolab is circulating widely.

These are a family of Trojan-downloaders known to download and install rogue antivirus programs and password stealers onto the infected computer.

This Trojan arrives as attachment with email messages purports to be from Facebook ,UPS ,Western union Money transfer(see the screenshots given below) with subjects “Facebook Password reset confirmation”, “UPS invoice”,” Western Union transfer is available for withdraw” etc.

Or it may be downloaded by Exploit:Win32/Pdfjsc families .The .zip attachment, once extracted, is usually an ~36-40kb executable that contains an Excel/Word documents icon.

It is installed to the start up folder with variable file names and injects into legitimate svchost.exe and explorer.exe processes to bypass firewalls. Some of the variants are ‘ virtualization -aware’ which contains anti-sandbox code and might exists if it detects the presence.

Some of the variants are trying to exploit previously patched Microsoft vulnerabilities ( MS07-017 – GDI Local Elevation of Privilege Vulnerability, MS08-025 – Windows Kernel Usermode Callback Local Privilege)

Aliases :

* Backdoor.Win32.Bredolab.ou(Kaspersky)
* TROJ_BREDOLAB.J(TrendMicro)
* Trojan-Downloader.Win32.Bredolab(Ikarus)
* Trojan-Downloader:W32/Bredolab.ED(F-Secure)
* Trojan.Bredload.gen(Mc Afee)

Upon execution, Win32/Bredloab variants:

* Drops the following files:
o \digeste.dll
o \digiwet.dll
o \mcenspc.dll
o \msansspc.dll
o %startup%\asgupd32.exe
o %startup%\dfqupd32.exe
o %startup%\dmaupd32.exe
o %startup%\fmnupd32.exe
o %startup%\ihaupd32.exe
o %startup%\imiupd32.exe
o %startup%\legupd32.exe
o %startup%\ppqupd32.exe
o %startup%\rqjupd32.exe
o %startup%\ikowin32.exe
o %startup%\wbhwin32.exe
o %startup%\hcgwin32.exe
o %startup%\fqosys32.exe
o %startup%\lecsys32.exe
o %startup%\necsys32.exe
o %startup%\rncsys32.exe
o %startup%\ysfsys32.exe
o %startup%\zqosys32.exe
o \wbem\grpconv.exe
o %appdata%\wiaserva.log %Temp%\
wpv[12 RANDOM NUMBERS].exe

* Modifies the following registry entries
o HKLM\SYSTEM\CurrentControlSet\
Control\SecurityProviders\SecurityProviders
=”msapsspc.dll, schannel.dll, digest.dll,
msnsspc.dll, digeste.dll”
o HKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\Windows NT\CurrentVersion\
Winlogon “Userinit”=%System%\
userinit.exe, %System%\
o HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Winlogon\
“RunGrpConv” = “1”

* Creates the following mutex
o _SYSTEM_4D2EF3A_

* Contacts the below listed remote host
and downloads additional s malware
o 58.65.235.41
o 78.109.29.116
o 78.109.29.112
o 91.207.61.12
o 213.155.4.82
o dollarpoint .ru
o imoviemax .ru
o mudstrang .ru
o vanni-van .cn
o gssmedia .cn
o www .qoeirq .com

* Below listed the malware reported to be downloaded by Win32/bredolab variants.

Win32/Ambler,Win32/Boaxxe,Win32/Busky,Win32/Cbeplay,
Win32/Cutwail, Win32/Daurso,Win32/FakeRean, Win32/
FakeSpypro,Win32/Haxdoor,Win32/Hiloti,Win32/Insnot,
Win32/Koobface, Win32/Momibot,Win32/Oderoor, Win32/
Oficla, Win32/Otlard,Win32/Rlsloup,Win32/Rustock,
Win32/Sinowal,Win32/Tedroo,Win32/Ursnif,Win32/Vundo,
Win32/Waledac,Win32/Wantvi,Win32/Winwebsec,Win32/Wopla,
Win32/Zbot

Removal :

* Temporarily Disable System Restore.
* Update the virus definitions.
* Reboot computer in SafeMode.
* Run a full system scan and clean/delete all infected file(s).
* Delete/Modify any values added to the registry.

In view of rapid propagation of the Program Trojandownloader:Win32/Bredolab, users are advised to implement the following countermeasures:

* Exercise caution while opening e-mail attachments and clicking on links to web pages received from unknown sources.
* Keep up-to-date patches and fixes on the operating system and application software.
* Keep up-to-date Antivirus and Antispyware signatures

References

http://www.symantec.com/connect/blogs/bredolab-delivers-
more-parcels-and-cash
http://www.microsoft.com/security/portal/Threat/Encyclopedia/
Entry.aspx?Name=Win32/Bredolab
http://www.microsoft.com/security/portal/Threat/Encyclopedia/
Search.aspx?query=Bredolab&showall=False&CBF=False&sortby=
date&sortdir=desc
http://blog.trendmicro.com/fake-facebook-password-notification-
leads-to-malware/
http://www.sophos.com/security/analyses/viruses-and-spyware/
trojbredolabf.html
http://www.bitdefender.com/VIRUS-1000540-en–Trojan.Downloader.
Bredolab.AM.html

Disclaimer

The information provided herein is on “as is” basis, without warranty of any kind.

Advertisements