TrojanDownloader:Win32/Bredolab.X

TrojanDownloader:Win32/Bredolab.X is a detection for malware that connects to a remote server to download and execute additional files. It disables HIPS (Host-Based Intrusion Prevention System) monitoring.

TrojanDownloader:Win32/Bredolab.X may be downloaded or dropped by other malware. One such sample is downloaded by members of the Exploit:Win32/Pdfjsc family.

 

It is installed to the Startup folder using a variable file name. One file name it is known to use is 'zqosys32.exe'. It injects itself in the 'svchost.exe' and 'explorer.exe' processes.

 

Note: TrojanDownloader:Win32/Bredolab.X does not run in virtualized environments.

Disables system settings

TrojanDownloader:Win32/Bredolab.X attempts to disable HIPS (Host-based Intrusion Prevention System) monitoring.

 

Downloads other malware

TrojanDownloader:Win32/Bredolab.X attempts to connect to a remote server to report that it has infected the system and to download other malware. It has been observed contacting a remote host at IP '78.109.29.116' for this purpose, from which it downloaded variants of Win32/Momibot and Win32/Waledac malware.

 

Analysis by Shawn Wang