Barrier1 Stops Bredolab Trojan
Barrier1 Stops Bredolab Trojan
Bredolab Trojan is dangerous in that it works secretly in the background. If the machine is not protected with security tools, Bredolab may be able to make quite a mess without raising any suspicions. It delivers various malwares on a computer. Bredolab isn’t capable of corrupting files or stealing information but the programs it installs may cause multiple damage.
The Trojan downloader usually downloads and runs fraudulent security tools, but it may also download keyloggers, adware, web browser toolbars and other malicious applications. Removing Bredolab is a necessary action in order to prevent further infections and keep a computer safe. Bredolab Trojan also changes system files. The following is just a few.
\digeste.dll
\digiwet.dll
\mcenspc.dll
\msansspc.dll
%startup%\asgupd32.exe
%startup%\dfqupd32.exe
%startup%\dmaupd32.exe
%startup%\fmnupd32.exe
%startup%\ihaupd32.exe
%startup%\imiupd32.exe
%startup%\legupd32.exe
As with all blended threats, Win32/Bredolab has mutated over time. At the time of installation when older variants of Win32/Bredolab are executed, they copy themselves to one of the following locations, converting their EXE to a DLL:
\digeste.dll
\digiwet.dll
\mcenspc.dll
\msansspc.dll
The registry is then modified to ensure that the DLL is loaded. For example:
To subkey: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders
Sets value: “SecurityProviders”
With data: “msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll”
Win32/Bredolab contacts a remote host, and receives a response from the master server that contains at least one encrypted binary. Downloaded binaries are decrypted and executed. Win32/Bredolab may use a randomly named file name for downloaded binaries on the local machine. Some variants of Win32/Bredolab may create the following file during execution:
• %appdata%\wiaserva.log
Several variants of Win32/Bredolab have been the focus of various spam mass-mailings. Here is a selection of an e-mail, used in the wild, to distribute Bredolab onto user’s computers:
Example email #1
Subject: Postal Tracking #IARN863188FLP4G
Hello!
We were not able to deliver postal package you sent on the 14th of March in time
because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office.
Your United Parcel Service of America
Example email #2
Subject: Shipping confirmation for order -08244007
Hello!
Thank you for shopping at our internet shop!
We have successfully received your payment.
Your order has been shipped to your billing address.
You have ordered Samsung GO N310-13G.
You can find your tracking number in attached to the e-mail document.
Please print the label to get your package.
We hope you enjoy your order!
Posted in Uncategorized