Home / malware Trojan:Win32/BadBind.A
First posted on 07 January 2014.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/BadBind.A.
Explanation :
Threat behavior
Installation
Trojan:Win32/BadBind.A copies itself to %windir%\adobe\adobe flash player.exe. The malware changes the following registry entries so that it runs each time you start your PC:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Adobe Flash Player"
With data: "c:\windows\adobe\adobe flash player.exe" The malware creates the following files on your PC:
- %windir%\assembly\nativeimages_v2.0.50727_32\temp\zap10.tmp\microsoft.build.utilities.v3.5.dll
- %windir%\assembly\nativeimages_v2.0.50727_32\temp\zape.tmp\microsoft.build.tasks.v3.5.dll
Payload
Contacts remote host
Trojan:Win32/BadBind.A might contact a remote host at bindfun.com using port 80. Commonly, malware does this to:This malware description was produced and published using automated analysis of file SHA1 fa7ae7392e0bd21e2607bda310ec51e730fa8004.Symptoms
- Report a new infection to its author
- Receive configuration or other data
- Download and run files, including updates or other malware
- Receive instructions from a remote hacker
- Upload data taken from your PC
System changes
The following could indicate that you have this threat on your PC:
%windir%\adobe\adobe flash player.exe
- You have these files:
%windir%\assembly\nativeimages_v2.0.50727_32\temp\zap10.tmp\microsoft.build.utilities.v3.5.dll
%windir%\assembly\nativeimages_v2.0.50727_32\temp\zape.tmp\microsoft.build.tasks.v3.5.dllSets value: "Adobe Flash Player"
- You see these entries or keys in your registry:
With data: "c:\windows\adobe\adobe flash player.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunLast update 07 January 2014
