Name:

Backdoor.Bredolab.vpa

Descr. Added:

March 27, 2012

Type:

Backdoor

Risk:

Low

Payload:

N/A

At risk systems:

Windows 95/98/ME/XP/NT/2003

Malware problems?   We can help.  Free Removal Tools.

Description:

When Backdoor.Bredolab.vpa is executed, it installs the Scareware, Smart Fortress 2012 and performs the following activities:

After execution it drops the following files:

%Windir%\system32\drivers\npf.sys
%Windir%\system32\Packet.dll
%Windir%\system32\wpcap.dll
%Alluserprofile%\Application Data\{random name}\{random name}.exe
%Alluserprofile%\Application Data\{random name}\{random name}
%Userprofile%\Start Menu\Programs\Smart Fortress 2012\Smart Fortress 2012.lnk
%Userprofile%\Desktop\Smart Fortress 2012.lnk

Also, it drops the following files in removable storage drives

\ggl1.tmp
\ggl.tmp
\Shortcut to google.lnk
\Copy of Shortcut to google.lnk
\Copy of Copy of Shortcut to google.lnk

It modifies/creates the following registry entries:

ImagePath ="system32\drivers\NPF.sys"
HKLM\SYSTEM\ControlSet001\Services\NPF

ImagePath ="system32\drivers\NPF.sys"
HKLM\SYSTEM\CurrentControlSet\Services\NPF

ShortcutPath =""%Alluserprofile%\Application Data\{Random Alphanumeric Folder}\{Random Alphanumeric}.exe" -u"
HKU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Smart Fortress 2012

UninstallString =""%Alluserprofile%\Application Data\{Random Alphanumeric Folder}\{Random Alphanumeric}.exe" -u"
HKU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Smart Fortress 2012

command\ =""%Alluserprofile%\Application Data\{Random Alphanumeric Folder}\{Random Alphanumeric}.exe" -s "%1" %*"
HKU\Software\Classes\529C5\shell\open

command\ =""%Alluserprofile%\Application Data\{Random Alphanumeric Folder}\{Random Alphanumeric}.exe" -s "%1" %*"
HKU\_Classes\529C5\shell\open

It launches a fake system scan and displays fake alert messages while preventing any application from running.