Virus:TR/Dldr.Bredolab.AX
Date discovered:27/10/2009
Type:Trojan
Subtype:Downloader
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:29.184 Bytes
MD5 checksum:e3edffb53e463bc6e3f498c8aaa1e447
IVDF version:7.01.06.155 - Tuesday, October 27, 2009

 General Methods of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Packed.Win32.Krap.w
   •  F-Secure: Trojan.Downloader.Bredolab.AZ
   •  Sophos: Mal/Bredo-A
   •  Bitdefender: Trojan.Downloader.Bredolab.AZ


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file

 Files It tries to download a file:

– The location is the following:
   • http://mmsfoundsystem.ru/public/controller.php**********
Furthermore this file gets executed after it was fully downloaded. At the time of writing this file was not online for further investigation.

 Email It doesn't have its own spreading routine but it was spammed out via email. The characteristics are described in the following:


From:
The sender address is spoofed.


Subject:
The following:
   • Facebook Password Reset Confirmation.



Body:
The body of the email is one of the lines:
   • Hey %username from receiver's email address%,
   • Because of the measures take to provide safety to our clients, your password has been changed.
   • You can find your new password in attached document.
   • Thanks,
   • The Facebook Team


Attachment:
The filename of the attachment is:
   • Facebook_Password_%five-digit random character string%.zip

The attachment is an archive containing a copy of the malware itself.

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Thomas Wegele on Tuesday, October 27, 2009
Description updated by Thomas Wegele on Tuesday, October 27, 2009

Back . . . .