General information

Lenovo’s download site has been infected with malicious codes since Sunday’s afternoon, June 20th; so users should be careful on visiting this site. Currently, if you access this site with Chrome or Firefox, you will see a warning as following:

Chrome’s warning of malicious code on Lenovo’s download site

Many web pages on Lenovo’s download site are appended with an iframe which leads users to hxxp://

Malicious code appended to web pages

Decoding the iframe, we find many vulnerabilities in Internet Explorer have been taken advantage to launch the attack.

Exploit codes

These exploit codes attempt to load file hxxp:// which is a virus, onto victim’s computer.

Virus’ information

The virus is a new variant of Bredolab Botnet with following MD5: F5A44C63F8777F544931ABC763F88EE3

After being loaded onto the computers, the virus copies itself as %Programs%\Startup\monskc32.exe and receives commands from C&C server with domain

Bredolab Botnet receives commands from C&C server

For the time being, the scan result on Virus Total shows that only 10/40 AVs can detect this virus variant.

Bkav’s users can be worry-free since this virus has already been updated in our antivirus software’s database.

Le Minh Hung

Senior Security Researcher

Leave a Reply

Name (required)
Mail (hidden) (required)
Text to Identify

Popup Date Time Portlet

Blogs Aggregator

Recent Posts

Blog Category Portlet


Store Portlet


Vote Baby Portlet