Threat behavior
TrojanDownloader:Win32/Bredolab.AC is a trojan that downloads and executes arbitrary files from a remote host.
Installation
When executed, the malware makes a copy of itself in the following location:
<startup folder>\monskc32.exe
Note: <startup folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Startup folder for Windows 9x, Me, NT, 2000, XP and 2003 is '%USERPROFILE%\Start Menu\Programs\Startup'. For Windows Vista and 7, the default location is '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'.
The malware may also inject code into the following system processes:
Payload
Downloads and executes arbitrary files
The malware connects to a remote host, for example:
sicha-linna8.com
It does this to download and execute files.
At the time of writing the malware downloaded variants of the following families:
Analysis by Ray Roberts
Prevention