Home / malwarePDF  

Backdoor:Win32/Blohi.B


First posted on 21 December 2012.
Source: Microsoft

Aliases :

Backdoor:Win32/Blohi.B is also known as Trojan.ADH.2 (Symantec), Win32/VB.QIK (McAfee), W32/VBTroj.KBWM (Norman).

Explanation :



Installation

When run, Backdoor:Win32/Blohi.B copies itself to the <system folder> with a random name, for example "dvsqeaig.exe" or "tvfckkdb.exe"

Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, 7, and 8 it is "C:\Windows\System32".

Backdoor:Win32/Blohi.B modifies the following registry entries to ensure that its copy runs at each Windows start:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Sets value: "<random string>", for example "jux5c4vnk0v7ighdm22978wywyejrqkg5t"
With data: "<malware file name and location>", for example "C:\Windows\System32\tvfckkdb.exe"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random string>", for example "jux5c4vnk0v7ighdm22978wywyejrqkg5t"
With data: "<malware file name and location>", for example "C:\Windows\System32\tvfckkdb.exe"

The trojan also modifies the following registry entries to lower your computer's firewall security settings:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "<malware file name and location>", for example "C:\Windows\System32\tvfckkdb.exe"
With data: "<malware file name and location>:*:Enabled:Microsoft (R) Internetal IExplore"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Sets value: "DoNotAllowExceptions"
With data: "dword:00000000"

Payload

Allows backdoor access and control

Backdoor:Win32/Blohi.B monitors the following Korean online-gaming processes:

  • highlow2
  • DuelPoker
  • Baduki
  • poker7
  • HOOLA3


If it finds any of these processes running, it attempts to connect to a remote server (for example, "61.247.149.<removed>" via TCP port 8886) and can be ordered to perform the following actions by a remote attacker:

  • Download and run other malware
  • Log keystrokes
  • Take screenshots of the gaming applications
  • Open and close your computer's CD/DVD drive
  • Disable your mouse
  • Shut down your computer


Backdoor:Win32/Blohi.B can be ordered to display the following fake Windows error blue screen, which may lure you into restarting your computer to allow the trojan to install additional malware:



The trojan can also be ordered to gather the following information:

  • Total physical memory
  • Installed security products
  • Computer name
  • Processor type


The trojan may then send the information to the remote server.



Analysis by Marianne Mallen

Last update 21 December 2012

 

TOP

Malware :

Family: