Home / malware Trojan:MSIL/Bladabindi.B
First posted on 22 January 2013.
Source: MicrosoftAliases :
Trojan:MSIL/Bladabindi.B is also known as TR/Bladabindi.J.1 (Avira), Trojan.Bladabindi!4BAD (Rising AV), Troj/Bbindi-A (Sophos).
Explanation :
Installation
Trojan:MSIL/Bladabindi.B drops a copy of itself into your computer in a predefined path using a predefined file name. In the wild, this trojan has used the following paths and file names:
- %USERPROFILE%\trojan.exe
- %USERPROFILE%\Local Settings\Temp\server.exe
It also drops a copy of itself in the Windows startup folder using another predefined file name. In the wild, it has used the following file names:
- c7192e982641757f14f66356bb4cf303.exe
- 5cd8f17f4086744065eb0992a09e05a2.exe
It may also drop a copy of itself into the root folder of other drives in your computer using a third predefined file name. In the wild, it has used the following file name:
- ! my picutre.scr
Trojan:MSIL/Bladabindi.B changes your system registry so that it automatically runs every time Windows starts:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<value>"
With data: "<malware path and file name>"
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<value>"
With data: "<malware path and file name>"
For example:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "c7192e982641757f14f66356bb4cf303"
With data: ""C:\Documents and settings\Administrator\trojan.exe" .."
Payload
Bypasses the Windows Firewall
Trojan:MSIL/Bladabindi.B bypasses the Windows Firewall so that it can establish a connection to another computer. It does this by adding itself to the list of authorized applications that can bypass the firewall:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "<malware path and file name>
With data: "<malware path and file name>:*:enabled:<malware file name>"
For example:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "C:\Documents and Settings\Administrator\trojan.exe"
With data: "C:\Documents and Settings\Administrator\trojan.exe:*:enabled:trojan.exe"
Steals sensitive information
Trojan:MSIL/Bladabindi.B tries to connect to a remote server using TCP port 1177. It has been known to try to connect to the following:
- bmzhr.zapto.org
- mody-x.no-ip.info
If a connection is established, it sends information including, but not limited to, the following:
- Your computer name
- Your Windows user name
- Your computer's operating system version
Analysis by Gilou Tenebro
Last update 22 January 2013