Bredolab trojan spreading through DHL scam emails

Recently we have noticed various spam emails that claim to be from DHL Customer Service with attached a .zip file named DHL_Label_1ae0a.zip of approximately 24 KB of size.

Screenshot

The file extracted from the .zip archive is an executable file:

Screenshot

Report date: 2.2.2010 at 20.58.00 (GMT 1)
File name: DHL_Label_1ae0a.exe
File size: 30208 bytes
MD5 hash: 6bbf1c34b753a46bc000000b74046a97
SHA1 hash: 10FDAD2FDCB2BA2EDC3ABD48D1DB72D33AB60180
Detection rate: 18 on 23 (78.26%)

a-squared 02/02/2010 4.5.0.8 Trojan.Win32.Bredolab!IK
Avira AntiVir 7.10.3.139 7.6.0.59 DR/Delphi.Gen
Avast 100201-1 4.8.1229 Win32:Bredolab-BD [Trj]
AVG 270.14.132/2611 9.0.0.725 Generic_r.CV
BitDefender 02/02/2010 7.0.0.2555 Trojan.CryptRedol.Gen.5
ClamAV 29/01/2010 0.95.1 Trojan.Agent-130266
Comodo 3468 3.13.579 TrojWare.Win32.Trojan.Agent.Gen
Dr.Web 02/02/2010 5.0 Trojan.Botnetlog.11
F-PROT6 20100201 4.5.1.85 W32/SuspPack.BG.gen!Eldorado
G-Data 19.9309 2.0.7309.847 Packed.Win32.Krap.aj A
Ikarus T3 29/01/2010 1001074 Trojan.Win32.Bredolab
Kaspersky 02/02/2010 8.0.0.357 Packed.Win32.Krap.aj
NOD32 v3 4829 3.0.677 Win32/Kryptik.BIT
Norman 2009/11/03 5.92.08 New unknown virus W32/Obfuscated.D!genr
Solo Antivirus 02/02/2010 8.0 Backdoor.Bredolab.Bki
Sophos 02/02/2010 4.32.0 Mal/FakeDouf-B
VBA32 02/02/2010 3.12.0.300 Backdoor.Win32.Lyla.2
VirusBuster 10.119.29 1.4.3 Trojan.Fraudload.Gen!Pac.5

When the file is executed, it creates the following files:

1
2
3
4
5
6
%Programs%\Startup\isqsys32.exe
C:\WINDOWS\okrehint.dll
C:\WINDOWS\system32\kmopare.dll
C:\WINDOWS\system32\sys.dat
C:\WINDOWS\system32\wbem\proquota.exe
C:\WINDOWS\Temp\wpv244543543509.exe

The file named isqsys32.exe has +S (System) attributes and it injects code into another system process named svchost.exe, it is placed in the startup folder so that anytime you start Windows also the malicious file is executed. Since the file is copied in the startup folder it is not added any registry key related to its startup in the registry. The two .DLL files are installed as Browser Helper Objects and are used to control the web browser Internet Explorer.

If you have received similar emails make sure to analyze the attached file, check also the extension of the attached file and the extension of the extracted file.
In case it is a virus, delete the email immediately!

Random Posts

Previous Posts