MSIL/Bladabindi [Threat Name] go to Threat

MSIL/Bladabindi.BC [Threat Variant Name]

Category trojan
Size 318464 B
Detection created Jan 13, 2014
Detection database version 10355
Aliases Trojan.MSIL.Disfa.bop (Kaspersky)
  Backdoor:MSIL/Bladabindi.AJ (Microsoft)
  Backdoor.Ratenjay (Symantec)
  BackDoor.Bladabindi.10390 (Dr.Web)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %temp%\­mind.exe
  • %startup%\­0fbb59d5c6a6a0ba8bae51975b2c488b.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "0fbb59d5c6a6a0ba8bae51975b2c488b" = ""%temp%\­mind.exe" .."
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "0fbb59d5c6a6a0ba8bae51975b2c488b" = ""%temp%\­mind.exe" .."

The trojan executes the following command:

  • netsh firewall add allowedprogram "%malwarefilepath%" "%malwarefilename%" ENABLE

The performed command creates an exception in the Windows Firewall.


The following Registry entry is set:

  • [HKEY_CURRENT_USER]
    • "di" = "!"
Information stealing

MSIL/Bladabindi.BC is a trojan that steals sensitive information.


The trojan collects the following information:

  • computer name
  • user name
  • volume serial number
  • operating system version
  • information about the operating system and system settings
  • malware version

The trojan is able to log keystrokes.


The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The TCP, HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • uninstall itself
  • delete Registry entries
  • create Registry entries
  • capture screenshots

The trojan keeps various information in the following Registry key:

  • [HKEY_CURRENT_USER\­Software\­0fbb59d5c6a6a0ba8bae51975b2c488b]

Trojan requires the Microsoft .NET Framework to run.

Please enable Javascript to ensure correct displaying of this content and refresh this page.