[Malware Review] Trojan.Downloader.Bredolab.CJ

Discovered on 19^th of January, Trojan.Downloader.Bredolab.CJ is an approximately 40kb piece of code with a high damage rate. The affected system shows as symptoms the existence of %Programs%Startuprarype32.exe and %AppData%avdrn.dat.

Trojan.Downloader.Bredolab.CJ is disguised in a word document in order to trick the users into downloading it into the computer. Once on the computer, it copies itself in %Programs%Startuprarype32.exe, deleting immediately afterwards the original file that generated the infection so as to remove all traces of its existence. This malicious code has two components: the packed main executable and a downloader that is always injected into other processes (including explorer.exe), rather than being written to the hard-disk.

This malware is known to download rogue antivirus suits (e.g. PC Antispyware 2010). Once installed, this software product will generate alerts of fake infections and would urge the user to fix these issues. Other message dialogs reveal that, in order to protect the computer against all these threats, the unwary Internet surfer needs to buy a license of that specific AV solution which will, of course, solve none of the above mentioned problems.

Bredolab.CJ uses a regular downloader to take care of updates and dropping more malware on the infected systems. This component tries to connect to www.dollar[removed]m.ru
and look for additional malware to be installed. What’s interesting about Trojan.Downlolader.Bredolab.CJ is the fact that the server does not send a plain binary file, but rather an encrypted file that can only be unpacked by the downloader component. Most of the times, these new files contain additional rogue antivirus utilities.

Information in this article is available courtesy of BitDefender virus researcher Daniel Chipiristeanu.