| Aliases: | Trojan.Win32.Inject.abnx (Kaspersky), TrojanDownloader:Win32/Bredolab.X (Microsoft), Spy-Agent.bw (McAfee) |
| Type of infiltration: | Trojan |
| Size: | 51200 B |
| Affected platforms: | Microsoft Windows |
| Signature database version: | 4063 (20090508) |
|
Short description
The trojan tries to download several files from the Internet. The files are then executed.
Installation
When executed, the trojan copies itself into the following location:
- %system%\wbem\grpconv.exe (51200 B)
The following files are deleted:
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\
CurrentVersion\Winlogon]
"RunGrpConv" = 1
The trojan creates and runs a new thread with its own program code within the following processes:
Other information
The trojan contains a list of (1) URLs. It tries to download several files from the addresses. The HTTP protocol is used.
These are stored in the following locations:
A string with variable content is used instead of %variable% .
The files are then executed.
The trojan may create and run a new thread with its own program code within any running process.
The trojan creates the following files:
The trojan creates copies of the following files (source, destination):
- %system%\ntdll.dll, %temp%\~TM%variable%.tmp
- %system%\kernel32.dll, %temp%\~TM%variable%.tmp
A string with variable content is used instead of %variable% .
The trojan launches the following processes:
