Presence of the following files
on the affected system.
%Programs% refers to the user's programs. For example : C:\Documents and Settings\[UserName]\Start Menu\Programs
%AppData% is the application-data path. For example : C:\Documents and Settings\[UserName]\Application Data.
This malware has a word document icon in oder to lure the user into opening it.
It copies itself in %Programs%\Startup\rarype32.exe in order to start along with Windows and removes traces of installation on the machine by deleting the original file which generated the infection.
Trojan.Downloader.Bredolab.CZ has 2 components:
- packed main executable
- downloader (which is never written on disk directly but is injected into other processes)
The trojan creates a custom unique mutex in order to check if the system is already infected. Also it inject itself into a running version of "explorer.exe"
This malware is known for downloading rogue antiviruses (e.g. PC Antispyware 2010): software products which once installed will generate alerts of fake infections and urge the user to fix those issues. The user is informed that in order to clean his computer of the threats, he needs to buy a license of that specific AV. In reality the product even after being licensed/registered will not delete any file or otherwise fix any of the detected issues.
The downloader is a standard downloader connecting, in this case, to dollardream.ru and requesting a download. The server send encrypted executable which is decrypted by the downloader and executed on the infected machine. Usually the payload is represented by rogue antiviruses.