New Bredolab variants in the wild

Bookmark and Share

Some new Bredobal variants are captured by Ax3soft in different messages.

1. “Report” emails

The first message attached with the subject" report” is from a fake email address. The main content of the email is not very long.

see my report in attach

The file report.zip is one part of the email, and the file report.zip is a ZIP archive with the 16KB capacity file report.exe

The Trojan is called W32/Bredolab.FZ (Authentium),

Email-Worm:W32/Waledac.HZ (F-Secure), W32/Bredolab.B!genr (Norman).

2.  “Review your annual Social Security statement” emails

The message is from the fake email addresses with the subject “Review your annual Social Security statement”

The content of the email:

Due to possible calculation errors, your annual Social Security statement may contain errors.

Open attached file to review your annual Social Security statement.

The file statement.zip is one part of the email, and the statement.zip is a ZIP archive which has 16kb capacity file statement.exe.

The Trajan is called W32/Bredolab.FX (Authentium), Gen:Trojan.Heur.FU.amW@aWPlGEii (F-Secure), W32/Bredolab.B!genr (Norman), Trojan.Win32.FakeAV (Ikarus), Sophos (Mal/FakeAV-EE).

A lot of Windows registry modifications are created and the trojan tries to establish a connection with IPs on port 80 as followings:

85.234.191.111
188.65.74.161
188.65.74.165

Download data from the following hosts:

·hxxp:// 188.65.74.161/varag_sdfgkwlkgadfshn.exe

·hxxp:// 85.234.191.111/bat.exe

·hxxp:// 188.65.74.165/bat.exe

The Trojan will install the ” Security Tool Malware” to the directory ” C:\Documents and Settings\ %User Profile%\ My Documents\Local Settings\application Data”, and will add automatic start-up entry to the registry.

3. Security Tool Removal instructions:

Getting rid of Security tool might be a complex task, as you need to disable its protection against antivirus software. At the moment Security tool allows users to launch processes similar to browser ones, as it needs user to visit its website. We suggest renaming/copying removers as iexplorer.exe or firefox.exe, which should pass through security tools mechanism. Here how to get rid of Security tool:

1. Disable security tool

a)  By rebooting into safe mode with networking  (press F8 just after reboot)

b) by pressing ctrl+shift+esc right after logging in into windows. go under processes tab, stop all numerical processes.

2. Delete security tool files (see under files in our guide)

a) by investigating where security tool shorcut points to (it will be on desktop)

b) by searching for filename with same name as processes stopped, if you went for 1.b

3. Reboot, do followup scan with free spyware Doctor scanner. This will detect any additional problems or files you might have missed.

 

How-to's

1. Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

2. We have added some new policies of Ax3soft Sax2 to detect the Trojan, please update the policy basic knowledge of Sax2  in time.

For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

Appendix:

What is Security Tool?

Security Tool is a fake spyware remover with an impressively generic name even in terms of rogue anti-spyware names. This parasite enters the system without the user’s knowledge or consent, usually by employing the use of various trojans. Security Tool might also convince you into downloading it by using the browser hijacker Sitesecuritytest.com, which is a fake online scan. Security Tool uses misleading advertising to trick users into purchasing it’s so-called “licensed version”.

Once inside and active, Security Tool floods the user with popups and fake system notifications, claiming his system is infected and in need of an anti-spyware program. All of these popups lead to the purchase page of Security Tool. Much like any other rogue, Security Tool will also perform fake system scans, which mark legitimate files as threats. To remove these “threats”  you supposedly have to purchase the full version of Security Tool, which is just as fake as the trial.

Typically, the popups inform about various dangerous spyware, for example :

Security Tool Warning
Spyware.IEMonster activity detected. This is spyware that attempts to steal passwords from Internet Explorer, Mozilla Firefox, Outlook and other programs.
Click here to remove it immediately with SecurityTool.

Or

Security Tool Warning
Some critical system files of your computer were modified by malicious program. It may cause system instability and data loss.
Click here to block unauthorised modification by removing threats (Recommended).

Sure, these threats do not exist on your PC, as Security tools scanner is not functional and just a decoy.

Popups aside, Security Tool will also significantly decrease system performance and block certain websites, as well as prevent some applications from running. It is a scam and should be treated as such: do NOT download or buy it and remove Security Tool immediatelly upon detection.