Back to SonicALERT
Bredolab Trojan spam campaign (July 16, 2010)
SonicWALL UTM Research team observed a wave of Resume spam campaign involving newer variant of Bredolab Trojan starting earlier this week. The spam emails arrive with a zip archived attachment which contains the Bredolab Trojan executable. The e-mail pretends to be arriving from a prospective job applicant and it looks like:
Attachment: resume_41170.zip (contains Myresume.exe)
Subject: Please look my CV, Thank you
I have figured out that you have an available job.
I am quiet intrested in it. So I send you my resume,
Looking forward to your reply.
A sample email message looks like:
The executable files inside the attachment has an icon disguised as a Microsoft Word document file:
If the user opens the malicious attachment then it performs following activities on the victims machine:
- It creates the following file
- C:\WINDOWS\System32\svrwsc.exe - Detected as GAV: Bredolab.ZX (Trojan)
It injects itself into the following processes
It attempts to access the following files and fails, possibly looking for a prior infection
- (Application Data)\Microsoft\OFFICE\TEMP\doc~1.dat
- (Application Data)\Microsoft\OFFICE\TEMP\doc~2.dat
It connect to a predetermined malicious domain musiceng.ru and sends process information
It creates following registry keys to ensure svrwsc.exe starts as service on every system restart under the name "Windows Security Center Service" :
- HKLM\SYSTEM\CurrentControlSet\Services\SvrWsc\Type: 0x00000010
- HKLM\SYSTEM\CurrentControlSet\Services\SvrWsc\Start: 0x00000002
- HKLM\SYSTEM\CurrentControlSet\Services\SvrWsc\ErrorControl: 0x00000000
- HKLM\SYSTEM\CurrentControlSet\Services\SvrWsc\ImagePath: "C:\WINDOWS\System32\svrwsc.exe"
- HKLM\SYSTEM\CurrentControlSet\Services\SvrWsc\DisplayName: "Windows Security Center Service"
- HKLM\SYSTEM\CurrentControlSet\Services\SvrWsc\ObjectName: "LocalSystem"
- HKLM\SYSTEM\CurrentControlSet\Services\SvrWsc\Description: "The service provides COM APIs for independent software vendors to register and record the state of their products to the Security Center service."
SonicWALL Gateway AntiVirus provides protection against this Bredolab Trojan variant with GAV: Bredolab.ZX (Trojan) signature.
Back to top
Back to SonicALERT