More on Backdoor.Win32.Breplibot.b

Research

10 Nov 2005

minute read

Authors

Yury Mashevsky

We’ve been analysing the backdoor program which uses the Sony rootkit technology.

Trend Micro has told us that the backdoor was mass mailed using spamming technologies. The message sent was as follows:

Message subject:

Requesting Photo Approval

Attachment name:

article_december_3621.exe

Message body:

Hello,

Your photograph was forwarded to us as part of an article we are publishing for our December edition of Total Business Monthly. Can you check over the format and get back to us with your approval or any changes? If the picture is not to your liking then please send a preferred one. We have attached the photo with the article here.

Kind regards,
Jamie Andrews
Editor
www.TotalBusiness.co.uk
**********************************************
The Professional Development Institute
**********************************************

Breplibot.b is 10240 bytes in size, and packed using UPX.

When launching, the backdoor copies itself to the Windows system directory as $SYS$DRV.EXE. Using this name makes it possible for the rootkit technology used by Sony to hide the activity of the malicious program. Of course, the backdoor’s activity will only be hidden if the ‘Sony rootkit’ has been installed on your computer.

Once launched, the backdoor creates the following system registry key:

[HKEY_LOCAL_MACHINE] “WkbpsevaXImgvkwkbpXSmj`kswXGqvvajpRavwmkjXVqj”=”$SYS$DRV.EXE”

Authors

Yury Mashevsky

Latest Posts

Latest Webinars

Reports

Kaspersky GReAT experts uncovered a new campaign by Lazarus APT that exploits vulnerabilities in South Korean software products and uses a watering hole approach.

MysterySnail RAT attributed to IronHusky APT group hasn’t been reported since 2021. Recently, Kaspersky GReAT detected new versions of this implant in government organizations in Mongolia and Russia.

Kaspersky researchers analyze GOFFEE’s campaign in H2 2024: the updated infection scheme, new PowerModul implant, switch to a binary Mythic agent.

Kaspersky GReAT experts discovered a complex APT attack on Russian organizations dubbed Operation ForumTroll, which exploits zero-day vulnerabilities in Google Chrome.

More on Backdoor.Win32.Breplibot.b

Message subject:

Attachment name:

Message body:

GReAT Ideas. Balalaika Edition

GReAT Ideas. Green Tea Edition

GReAT Ideas. Powered by SAS: malware attribution and next-gen IoT honeypots

GReAT Ideas. Powered by SAS: threat actors advance on new fronts

GReAT Ideas. Powered by SAS: threat hunting and new techniques

The antivirus weather forecast: cloudy

Crimeware: A new round of confrontation begins…

Malware Miscellany, September 2009

Malware Miscellany, December 2008

Malware Miscellany, November 2008

A journey into forgotten Null Session and MS-RPC interfaces, part 2

DCRat backdoor returns

Mercedes-Benz Head Unit security research report

Horns&Hooves campaign delivers NetSupport RAT and BurnsRAT

Threats in space (or rather, on Earth): internet-exposed GNSS receivers

Latest Posts

Lumma Stealer – Tracking distribution channels

Phishing attacks leveraging HTML code inside SVG files

IronHusky updates the forgotten MysterySnail RAT to target Russia and Mongolia

Streamlining detection engineering in security operation centers

Latest Webinars

In-depth analysis of cyberattacks: key findings from Kaspersky’s Incident Response report

Silent shields & digital dragons: MDR’s proactive protection

From chaos to control: streamlining detection engineering in Security Operation Centers

Сrimeware and financial cyberthreats in 2025

Reports

Operation SyncHole: Lazarus APT goes back to the well

IronHusky updates the forgotten MysterySnail RAT to target Russia and Mongolia

GOFFEE continues to attack organizations in Russia

Operation ForumTroll: APT attack with Google Chrome zero-day exploit chain

Subscribe to our weekly e-mails