A new settings file - Bredolab spam continues

February 26, 2010

SonicWALL UTM Research team continued to monitor and provide protection against the ongoing Bredolab spam which switched to a new spam theme starting Wednesday, February 24, 2010. There has been a sharp increase in Bredolab spam campaigns since mid February 2010 as covered in our previous SonicAlert - New Bredolab spam campaigns and it was not any different this week.

SonicWALL has received more than 25,000 e-mail copies from the "new settings file" spam campaign. The email messages like previous campaigns have a zip archived attachment which contain a new variant of Bredolab Trojan executable. The sample e-mail format is shown below:

Campaign: A new settings file spam

Attachment: settings.zip (contains settings.exe)

Subject: A new settings file for the (random email address) has just be released

Email Body:
Dear use of the (email domain) mailing service!

We are informing you that because of the security upgrade of the mailing service your mailbox (random email address) settings were changed. In order to apply the new set of settings open attached file.

Best regards, (email domain) Technical Support.

The email messages looks like:



SonicWALL has received more than 6 distinct variants of the settings.exe file till now. If the user downloads and executes these new Bredolab variants, it will further attempt to download FakeAV malware.

SonicWALL Gateway AntiVirus provides protection against this spam campaign via following signatures:

  • GAV: Bredolab.CE_2 (Trojan) [11,924,540 hits recorded starting Feb 20, 2010]
  • GAV: Bredolab.BK_2 (Trojan) [6,004,226 hits recorded starting Feb 26, 2010]
  • GAV: Bredolab.BK (Trojan) [471 hits recorded starting Feb 26, 2010]