A remote administration utility that bypasses normal security mechanisms to secretly control a program, computer or network.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
This is the Family Description for Backdoor:W32/Bredavi. Bredavi is a Remote Administration Tool (RAT) that can be exploited by remote users to gain control over a system on which the program is installed.
Upon its arrival in the system, the malware will check for its previous run on any of the targeted processes:
If the system is found clean with no traces that the malware has run on services.exe, the system will be infected then.
Using InterlockedExchange, the malware will hook the following functions:
- From advapi32.dll - CryptEncrypt
- From kernel32.dll - CreateFileW, GetFileAttributeExW
- From ws2_32.dll - send, WSASend
- From sks2xyz.dll (unknown dll that is believed to be its component) - vb_pfx_import
- From User32.dll - GetWindowTextA
The malware will then look for iexplorer.exe, opera.exe, java.exe and javaw.exe, and injects itself in. It downloads a file from http://brendbar.cn/[...]n-bss.exe and saves it to '\\?\globalroot\systemroot\system32\ntfs_ext7.exe'.
It also makes a download from http://premiumbullets.cn/[...]php?id=!!. And, if "!killOS" string is found in the downloaded file, it terminates the following processes which are critical for the Windows operating system:
The malware modifies Windows host file to prevent the system from accessing domains that belongs to or affiliated with computer security companies.
The Bredavi malware contains a keylogger component, which surreptitiously monitors and stores all the strokes typed into the keyboard. For additional information on keylogger, please visit Terminology: Keylogger.