Bredolab.gen.o

-- Update March 22, 2010 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:  http://www.theregister.co.uk/2010/03/18/facebook_password_reset/

--

This trojan arrives as an attachment inside a RAR/ZIP file which has been spammed out.  It purports to be from Facebbook as shown in the example below:

The ZIP/RAR archive contains the trojan file and when executed will attempt to inject itself into svchost.exe processes.

The Trojan then connects to the following domain to download other malware:

• http://fun[removed].ru

The malware that is downloaded and related files may vary from one variant to another.

This trojan drops a DLL component which our current DATS already detect as 'Spy-Agent.br.dll' with the current DATS. 

The location of where this DLL component is dropped is:

• %Temp%\6.tmp
• %System%\nnfj.tqo

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following registry key is also created so that the trojan runs after each login by the user:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" =Explorer.exe rundll32.exe nnfj.tqo nhemkk

Trojans are not viruses, and as such do not contain any method to replicate by themselves. However they may be downloaded by other viruses and/or Trojans to be installed on the user's system. Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the malwares).

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations