Home / malwarePDF  

Trojan:MSIL/Bladabindi.B


First posted on 22 January 2013.
Source: Microsoft

Aliases :

Trojan:MSIL/Bladabindi.B is also known as TR/Bladabindi.J.1 (Avira), Trojan.Bladabindi!4BAD (Rising AV), Troj/Bbindi-A (Sophos).

Explanation :



Installation

Trojan:MSIL/Bladabindi.B drops a copy of itself into your computer in a predefined path using a predefined file name. In the wild, this trojan has used the following paths and file names:

  • %USERPROFILE%\trojan.exe
  • %USERPROFILE%\Local Settings\Temp\server.exe


It also drops a copy of itself in the Windows startup folder using another predefined file name. In the wild, it has used the following file names:

  • c7192e982641757f14f66356bb4cf303.exe
  • 5cd8f17f4086744065eb0992a09e05a2.exe


It may also drop a copy of itself into the root folder of other drives in your computer using a third predefined file name. In the wild, it has used the following file name:

  • ! my picutre.scr


Trojan:MSIL/Bladabindi.B changes your system registry so that it automatically runs every time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<value>"
With data: "<malware path and file name>"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<value>"
With data: "<malware path and file name>"

For example:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "c7192e982641757f14f66356bb4cf303"
With data: ""C:\Documents and settings\Administrator\trojan.exe" .."



Payload

Bypasses the Windows Firewall

Trojan:MSIL/Bladabindi.B bypasses the Windows Firewall so that it can establish a connection to another computer. It does this by adding itself to the list of authorized applications that can bypass the firewall:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "<malware path and file name>
With data: "<malware path and file name>:*:enabled:<malware file name>"

For example:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "C:\Documents and Settings\Administrator\trojan.exe"
With data: "C:\Documents and Settings\Administrator\trojan.exe:*:enabled:trojan.exe"

Steals sensitive information

Trojan:MSIL/Bladabindi.B tries to connect to a remote server using TCP port 1177. It has been known to try to connect to the following:

  • bmzhr.zapto.org
  • mody-x.no-ip.info


If a connection is established, it sends information including, but not limited to, the following:

  • Your computer name
  • Your Windows user name
  • Your computer's operating system version




Analysis by Gilou Tenebro

Last update 22 January 2013

 

TOP

Malware :

Family: