Malware Backdoor.Win32.Bredavi.byc

Posted: September 1, 2012 in Encyclopedia viruses
Tags:

Virus AlertMalware Backdoor.Win32.Bredavi.byc – A malicious program that provides the user remote access to an infected machine.

Technical details

A malicious program that provides the user remote access to an infected machine. The program itself is a Windows (PE DLL-file). Has a size of 26,113 bytes. Written in C + +.

Installation

The Trojan copies its body to the Windows system directory under the name “xxtr.lro”:

% System% \ xxtr.lro

To start automatically when you start the system, the Trojan adds an entry in the system registry:

[HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon] “Shell” = “Explorer.exe rundll32.exe xxtr.lro olxanj”

Destructive activity

If the user’s computer was installed application “Microsoft Office”, the Trojan installs a low level of security, by writing the following values ​​in the registry key:

[HKCU \ Software \ Microsoft \ Office \ 11.0 \ Word \ Security] “Level” = “1” “AccessVBOM” = “1”

And run macros through which runs the original body of the Trojan.

To control the process in a unique system, the Trojan creates a unique identifier with the name:

3902263633e897d151

The Trojan then creates a process named “svchost.exe” and injects its own address space of malicious code:

svchost.exe

Trojan sends a request to the following address:

http:// **** hostforyou.cn / onlyhotnews / bb.php

In response receives a configuration file to further their work. Links to download other malicious files obtained from the configuration file, the Trojan stores in the following registry key:

[HKCR \ idid]

Removal

If your computer was not protected by Antivirus and is infected with this malware, then to delete the following:

Delete the original Trojan file (the location of the victim will depend on how the program originally penetrated the victim machine).
Delete files:

% System% \ xxtr.lro

Clear the directory Temporary Internet Files, which may contain infected files:

% Temporary Internet Files%

Delete the registry key:

[HKCR \ idid]

If necessary, reset options “Level” and “AccessVBOM” in the registry key:

[HKCU \ Software \ Microsoft \ Office \ 11.0 \ Word \ Security] “Level” “AccessVBOM”

Restore the value of a registry key to the following:

[HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon] “Shell” = “Explorer.exe”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s