Win32/TrojanDownloader. Bredolab.AA | ESET Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

O
P
Q
R
S
T
U
V
W
X
Y
Z
Glossary

Short description

The trojan tries to download several files from the Internet. The files are then executed.

Installation

When executed, the trojan copies itself into the following location:

%system%\wbem\grpconv.exe (51200 B)

The following files are deleted:

%system%\grpconv.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\
CurrentVersion\Winlogon]
"RunGrpConv" = 1

The trojan creates and runs a new thread with its own program code within the following processes:

explorer.exe

Other information

The trojan contains a list of (1) URLs. It tries to download several files from the addresses. The HTTP protocol is used.

These are stored in the following locations:

%temp%\wpv%variable%.exe

A string with variable content is used instead of %variable% .

The files are then executed.

The trojan may create and run a new thread with its own program code within any running process.

The trojan creates the following files:

%appdata%\wiaserva.log

The trojan creates copies of the following files (source, destination):

%system%\ntdll.dll, %temp%\~TM%variable%.tmp
%system%\kernel32.dll, %temp%\~TM%variable%.tmp

A string with variable content is used instead of %variable% .

The trojan launches the following processes:

svchost.exe