W32/Bredolab.AC!tr.dldr

Alias/esTroj/Bredo-AC (Sophos), TROJ_BREDOLAB.ZB (Trend Micro), TrojanDownloader:Win32/Bredolab.AB (Microsoft), Win32/TrojanDownloader.Bredolab.BH (NOD32), Trojan-Downloader:W32/Bredolab.WF (F-Secure)
Release DateJan 15, 2010
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.202
Description

Visible Symptoms

  • The following files exist:

    • %Documents and Settings\[UserName]\Start Menu\Programs\Startup\rarype32.exe
    • %Documents and Settings\[UserName]\Application Data\avdrn.dat

Detailed Analysis


W32/Bredolab.AC!tr.dldr runs in the background and allows remote access to the compromised system.

  • It drops the following files:

    • %Documents and Settings\[UserName]\Start Menu\Programs\Startup\rarype32.exe
    • %Documents and Settings\[UserName]\Application Data\avdrn.dat



Technical Details


  • Instead of employing the usual malware practice of using the GetProcAddress function to access its APIs, this malware uses a list of hash values, which were computed from the API names.

  • It creates a temporary file in the %Temp% folder every time it needs to reference a DLL file. The filename has the following format:

    • TMP[xx].tmp, where [xx] is a two-digit number.

    These created temporary files are actual copies of the DLL file that the malware is referencing. They are deleted once the malware has the API addresses that it needs.

  • It drops a file named avdrn.dat  in the %AppData% folder. This file contains a DWORD data that the malware uses in some of its routines.

  • The malware also drops a copy of itself as a temporary file in the %Temp% folder. This temporary file has the following filename format:

    • TM[xxxxx].tmp, where [xxxxx] is a five-digit random number.


Description Last Updated Date: Feb 03, 2010
Reference: ID - 1466456