Trojan.Bedrill

Printer Friendly Page

Discovered: November 13, 2003
Updated: November 13, 2003 6:28:43 PM
Systems Affected: Windows

Trojan.Bedrill is a Trojan Horse which downloads spam, then emails it in batches from an infected system.

Discovered: November 13, 2003
Updated: November 13, 2003 6:28:43 PM
Systems Affected: Windows

1. Installs the following files in %Windir%:
inst.exe
run.exe
sysinfo.exe
mkernel.dll
mcom.dll
mbot.dll

2. Adds the value:

"sysinfo"="%Windir%\sysinfo.exe"

to the registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

so that the Trojan runs when you start Windows.

3. Fetches http://abs.redbills.com/hosts.txt, which contains a list of IP addresses.

4. Connects to one of these addresses, and downloads specifications for the email it will send.

5. Connects to an SMTP server, and sends the mail.

6. May download and install new versions of itself.