This application requires Javascript for optimal performance.

W32/Bredolab.A!tr.dldr - Released Aug 21, 2009

Alias/es

Backdoor.Win32.Bredolab.ez, W32/Bredolab.D, Trj/Sinowal.WMF

Detection Availability

	Active Database	Extended Database
FortiGate		low high
FortiClient
FortiMail		N/A

Visible Symptoms

The W32/Bredolab.A!tr.dldr file exists in the Startup folder of the current user.
Possible firewall alert that an executable is attempting to connect to the internet.

Detailed Analysis

W32/Bredolab.A!tr.dldr downloads and executes other malicious files silently.

Technical Details

This sample tries to download other files from the following URL:
http://[Removed]/def/controller.php?action=bot&entity_list=&uid=&first=1&guid=[Removed]&rnd=[Removed]
It copies itself to the Startup folder of the current user in order to be launched at every session startup.

Recommended Action

FortiGate Systems

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

FortiClient Systems
Quarantine/delete files that are detected and replace infected files with clean backup copies.

Reference: ID - 1001181

Current Threat Level

Vulnerabilities

Virus/Spyware

Spam

PGP Keys

Contact Form

Copyright © 2011 Fortinet Inc. All Rights Reserved