Where to Buy Trend Micro Products

For Home

For Small Business

1-888-762-8736
(M-F 8:00am-5:00pm CST)

For Enterprise

1-877-218-7353
(M-F 8:00am-5:00pm CST)

Not in the United States?
Select the country/language of your choice:

Asia Pacific Region

Europe

The Americas

Not in the United States?
Select the country/language of your choice:

Asia/Pacific

Europe

America

Login

For Home

For Business

For Partners

Threat Encyclopedia

BKDR_BREDOLAB


ALIASES:

Bredo

PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

OVERALL RISK RATING:
DAMAGE POTENTIAL:
DISTRIBUTION POTENTIAL:
REPORTED INFECTION:

  • Threat Type:Backdoor

  • Destructiveness:No

  • Encrypted:

  • In the wild: Yes

OVERVIEW

Infection Channel:

Spammed via email, Downloaded from the Internet


BREDOLAB arrives via spammed email attachments. The email messages it comes in vary. Samples include spoofs of email from Social Security, DHL and Lenovo while others include a puzzle, a wedding invitation, or a resume. BREDOLAB variants are also downloaded by other malware, particularly by CUTWAIL or SASFIS malware. Variants of BREDOLAB may also be installed on systems when users visit compromised pages injected with malicious iframes. They can also be downloaded via black hat search engine optimization (black hat SEO) where users are led to poisoned search results when searching for popular topics.

BREDOLAB's main function is to download other malware on systems it infects. It downloads malware such as FAKEAV and ZEUS. Some GUMBLAR variants also use BREDOLAB as a downloader component.

In addition to its downloading capabilities, BREDOLAB is capable of detecting whether it is running in an environment where it is being analyzed or observed. It does this by checking the presence of several files, which are related to analysis tools, on a system. Once BREDOLAB detects the presence of these analysis-related files, it causes the system to stop responding, resulting in a blue screen (BSOD) error. This particular capability makes analysis of BREDOLAB malware difficult.

Variants of this malware family also unhook certain application programming interface (API) calls to avoid being detected and consequently, removed from the affected system.

TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Downloads files

Installation

This backdoor drops the following files:

  • %Application Data%\avdrn.dat
  • %Application Data%\wiaservg.log
  • %Application Data%\avkgp.dat

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It drops the following copies of itself into the affected system:

  • %User Startup%\{random}32.exe

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.)

Other Details

This backdoor connects to the following possibly malicious URL:

  • {BLOCKED}oup128.ru
  • {BLOCKED}l.ru
  • {BLOCKED}ang.ru
  • {BLOCKED}epof.ru
  • {BLOCKED}ale.ru

Featured Stories

Connect with us on