Threat Database Malware Mal/BredoZp-B


Mal/BredoZp-B is the detection name for a particular kind of phishing scam that, for a long time was related to the now defunct Bredo Botnet. A botnet is a large network of computer systems that have been infected with malware that allows criminals to take over thousands of computers simultaneously and turn them into zombies in order to carry out coordinated attacks. By using zombie computers, a criminal can send out massive quantities of spam email, launder money and hide other illegal activities or shut down a particular server by overwhelming it with requests. Mal/BredoZp-B is a common spam email scam that, for a long time, was associated with a famous botnet known as Bredo. Although the law enforcement managed to bring down the criminals responsible for Bredo, the email scam that they used to deliver malware to their victims is still well and alive.

Mal/BredoZp-B Impersonates Legitimate Courier Services

Criminals use Mal/BredoZp-B in order to make computer users believe that they have received a package or that there was a failure in delivery. Typically, these messages will include an attached file or embedded link, which leads to the actual malware infection. The most recent Mal/BredoZp-B attack was observed in March of 2012, but this scam has appeared several times in the past. There's been a particularly large attack in the summer of 2011 with emails impersonating such companies as DHL and FedEx.

The Current Mal/BredoZp-B Attack Uses a Fake Email from DHL

The current Mal/BredoZp-B attack takes the shape of an email that allegedly comes from DHL, a popular messenger company. The email message is particularly convincing, using a spoofed email address from the domain and, for once, a well written message without any spelling or grammatical mistakes (which are often the downfall of most computer criminals attempting to scam their victims with fake messages, applications, and emails). This email contains a supposed tracking number and, while the body changes from email to email, the main point of it will be to convince the victim to open an attached compressed archive in ZIP format. This file will usually be named something like: DHL-Express-Delivery-Notification-Details_03-2012_[Random tracker number].zip. The long file name is not a coincidence. It is proven that computer users are less likely to notice the ZIP extension because of the distraction that the long file name provides. The Mal/BredoZp-B attack is a very common way of sending out malicious spam email and has also been associated with other large botnets like the Zeus botnet.

File System Details

Mal/BredoZp-B may create the following file(s):
# File Name Detections
1. %AppData%\Upilve\upny.exe
2. %AppData%\Ewafy\zizuy.tmp

Registry Details

Mal/BredoZp-B may create the following registry entry or registry entries:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]


Most Viewed