MSIL/Bladabindi [Threat Name] go to Threat

MSIL/Bladabindi.J [Threat Variant Name]

The trojan serves as a backdoor. It can be controlled remotely. The file is run-time compressed using Enigma Protector .

When executed the trojan copies itself in the following locations:

In order to be executed on every system start, the trojan sets the following Registry entries:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "4a7c8a49d8af25eb6c00b8697c49e3a0" = "%temp%\%TEMP%.scr"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "4a7c8a49d8af25eb6c00b8697c49e3a0" = "%temp%\%TEMP%.scr"

The trojan may execute the following commands:

The performed command creates an exception in the Windows Firewall.

MSIL/Bladabindi.J is a trojan that spreads by copying itself into the root folders of available drives.

The following filename is used:

MSIL/Bladabindi.J is a trojan that steals sensitive information.

The following information is collected:

The trojan is able to log keystrokes.

The data is saved in the following file:

The trojan attempts to send gathered information to a remote machine.

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains an URL address. It tries to connect to remote machine to port: 1177 (TCP).

It can execute the following operations:

The trojan keeps various information in the following Registry key: