MSIL/Bladabindi [Threat Name] go to Threat
MSIL/Bladabindi.J [Threat Variant Name]
Category | trojan,worm |
Size | 1382400 B |
Aliases | Worm:MSIL/Necast.J (Microsoft) |
Short description
The trojan serves as a backdoor. It can be controlled remotely. The file is run-time compressed using Enigma Protector .
Installation
When executed the trojan copies itself in the following locations:
- %temp%\%TEMP%.scr
- %startup%\4a7c8a49d8af25eb6c00b8697c49e3a0.exe
In order to be executed on every system start, the trojan sets the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "4a7c8a49d8af25eb6c00b8697c49e3a0" = "%temp%\%TEMP%.scr"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "4a7c8a49d8af25eb6c00b8697c49e3a0" = "%temp%\%TEMP%.scr"
The trojan may execute the following commands:
- netsh firewall add allowedprogram "%temp%\%TEMP%.scr" "%TEMP%.scr" ENABLE
The performed command creates an exception in the Windows Firewall.
Spreading
MSIL/Bladabindi.J is a trojan that spreads by copying itself into the root folders of available drives.
The following filename is used:
- ! My Picutre.SCR
Information stealing
MSIL/Bladabindi.J is a trojan that steals sensitive information.
The following information is collected:
- volume serial number
- computer name
- user name
- information about the operating system and system settings
- hardware information
The trojan is able to log keystrokes.
The data is saved in the following file:
- %temp%\%TEMP%.scr.tmp
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains an URL address. It tries to connect to remote machine to port: 1177 (TCP).
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- log keystrokes
- create Registry entries
- delete Registry entries
- capture screenshots
- execute shell commands
- update itself to a newer version
The trojan keeps various information in the following Registry key:
- [HKEY_CURRENT_USER\Software\4a7c8a49d8af25eb6c00b8697c49e3a0]