Messages with the YouSendIt Reader contains the Bredolab trojan

After our first report earlier today of the YouSendIt abuse that leads to a malicious payload and spam web site, MX Lab now intercepted messages with the subject “You have received a file from via YouSendIt.” and the attachment

The email address is spoofed and the email address in the subject line will change according to the from address.

The body of the email:

Maryellen Meier has sent you the following via YouSendIt

File attached to this letter.

YouSendIt, Inc. | Privacy Policy

1919 S. Bascom Ave., Campbell, CA 95008

The message has the attachment Once extracted, the 20 kB large file YouSendIt_reader.exe is available.

The trojan is known as Gen:Variant.Bredo.2 (BitDefender, F-Secure, GData), TrojanDownloader:Win32/Waledac.C (Microsoft).

The following files are created:

%Programs%\Security Tool.lnk

New processes are created:

Process Name: 1410506.exe
Process Filename: %AppData%\1410506.exe

Process Name: _ex-08.exe
Process Filename: %Windir%\temp\_ex-08.exe

Process Name: 1410506.exe
Process Filename: %UserProfile%\LOCALS~1\APPLIC~1\1410506.exe

Several Windows registry modificatiosn are being made to the infected system and the trojan can establish an connection to the IPs and on port 80.

The trojan will also connect to the URL hxxp://

At the time of writing, only 8 of the 42 AV engines at Virus Total did detect the treath.Virus Total permlink and MD5: 79be5ebc9659f2c4e2e85cdd3464720d.

2 thoughts on “Messages with the YouSendIt Reader contains the Bredolab trojan

  1. i got 2 of those e-mails today. I was told to open it and now I am working off a different computer. The virus does not allow you to open task manager or online options. A very dangerous virus. it just keeps on running and adding and cannot delete it when its running.

  2. I’ve had a lot of these, starting about 18:00GMT yesterday and to more than one username.

    They’re recognisable as suspicious by the fact that they contain the file in an attachment to the email. This is not how yousendit works — the whole point of yousendit is to deliver files without them going via email. A proper yousendit message would contain only a notification of file arrival and the recipient would have to visit yousendit to collect the file.

Comments are closed.