Bredolab trojan spreading through DHL scam emails

Recently we have noticed various spam emails that claim to be from DHL Customer Service with attached a .zip file named of approximately 24 KB of size.


The file extracted from the .zip archive is an executable file:


Report date: 2.2.2010 at 20.58.00 (GMT 1)
File name: DHL_Label_1ae0a.exe
File size: 30208 bytes
MD5 hash: 6bbf1c34b753a46bc000000b74046a97
SHA1 hash: 10FDAD2FDCB2BA2EDC3ABD48D1DB72D33AB60180
Detection rate: 18 on 23 (78.26%)

a-squared 02/02/2010 Trojan.Win32.Bredolab!IK
Avira AntiVir DR/Delphi.Gen
Avast 100201-1 4.8.1229 Win32:Bredolab-BD [Trj]
AVG 270.14.132/2611 Generic_r.CV
BitDefender 02/02/2010 Trojan.CryptRedol.Gen.5
ClamAV 29/01/2010 0.95.1 Trojan.Agent-130266
Comodo 3468 3.13.579 TrojWare.Win32.Trojan.Agent.Gen
Dr.Web 02/02/2010 5.0 Trojan.Botnetlog.11
F-PROT6 20100201 W32/SuspPack.BG.gen!Eldorado
G-Data 19.9309 2.0.7309.847 Packed.Win32.Krap.aj A
Ikarus T3 29/01/2010 1001074 Trojan.Win32.Bredolab
Kaspersky 02/02/2010 Packed.Win32.Krap.aj
NOD32 v3 4829 3.0.677 Win32/Kryptik.BIT
Norman 2009/11/03 5.92.08 New unknown virus W32/Obfuscated.D!genr
Solo Antivirus 02/02/2010 8.0 Backdoor.Bredolab.Bki
Sophos 02/02/2010 4.32.0 Mal/FakeDouf-B
VBA32 02/02/2010 Backdoor.Win32.Lyla.2
VirusBuster 10.119.29 1.4.3 Trojan.Fraudload.Gen!Pac.5

When the file is executed, it creates the following files:


The file named isqsys32.exe has +S (System) attributes and it injects code into another system process named svchost.exe, it is placed in the startup folder so that anytime you start Windows also the malicious file is executed. Since the file is copied in the startup folder it is not added any registry key related to its startup in the registry. The two .DLL files are installed as Browser Helper Objects and are used to control the web browser Internet Explorer.

If you have received similar emails make sure to analyze the attached file, check also the extension of the attached file and the extension of the extracted file.
In case it is a virus, delete the email immediately!

Random Posts

Previous Posts