A remote administration utility that bypasses normal security mechanisms to secretly control a program, computer or network.
Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.
Find the latest advice in our Community Knowledge Base.
See the manual for your F-Secure product on the Help Center.
Submit a file or URL for further analysis.
This is the Family Description for Backdoor:W32/Bredavi. Bredavi is a Remote Administration Tool (RAT) that can be exploited by remote users to gain control over a system on which the program is installed.
Upon its arrival in the system, the malware will check for its previous run on any of the targeted processes:
If the system is found clean with no traces that the malware has run on services.exe, the system will be infected then.
Using InterlockedExchange, the malware will hook the following functions:
The malware will then look for iexplorer.exe, opera.exe, java.exe and javaw.exe, and injects itself in. It downloads a file from http://brendbar.cn/[...]n-bss.exe and saves it to '\\?\globalroot\systemroot\system32\ntfs_ext7.exe'.
It also makes a download from http://premiumbullets.cn/[...]php?id=!!. And, if "!killOS" string is found in the downloaded file, it terminates the following processes which are critical for the Windows operating system:
The malware modifies Windows host file to prevent the system from accessing domains that belongs to or affiliated with computer security companies.
The Bredavi malware contains a keylogger component, which surreptitiously monitors and stores all the strokes typed into the keyboard. For additional information on keylogger, please visit Encyclopedia: Keylogger.