Home / malware Backdoor:MSIL/Bladabindi.G
First posted on 23 April 2013.
Source: MicrosoftAliases :
Backdoor:MSIL/Bladabindi.G is also known as Trojan/Win32.Jorik (AhnLab), W32/Bladabindi.D (Norman), Trojan.Bladabindi!4D1D (Rising AV).
Explanation :
Installation
Attackers may use social engineering techniques to try and get Backdoor:MSIL/Bladabindi.G on your computer.
The backdoor drops a copy of itself to the <startup folder> as the following file, so that it will run each time you start your computer:
5cd8f17f4086744065eb0992a09e05a2.exe
The backdoor copies itself to the %TEMP% folder, with a configurable file name, for example:
%TEMP%\<configurable name>.exe, for example %TEMP%\trojan.exe
It makes the following changes to the registry to ensure that it runs each time you start your computer:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<configurable name>" for example, "trojan"
With data: %TEMP%<configurable name>.exe, for example %TEMP%\trojan.exe
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<configurable name>" for example, "trojan"
With data: %TEMP%<configurable name>.exe, for example %TEMP%\trojan.exe
Spreads via...
Removable drives
The backdoor is capable of spreading to other computers via removable drives. It does this by copying itself to rot of the drive, and creating a shortcut file that uses the same name as the drive, and appears with a folder icon.
If you open the shortcut, the malware will run, but at the same time opens an Explorer window; this may be designed to mask the fact that the malware has been run in the background.
Payload
Allows backdoor access and control
Backdoor:MSIL/Bladabindi.G allows unauthorized access and control to your computer. An attacker can perform any number of different actions on an affected computer using this malware. This could include, but is not limited to, the following actions:
- Modifying system settings
- Downloading and running files
- Taking screen captures
- Spread to other computers using removable drives
- Uninstalling itself
- Restarting your computer
- Updating itself
- Exiting your computer
- Uploading data to the attacker
Modifies security settings
Backdoor:MSIL/Bladabindi.G adds itself to the list of applications that are authorized to access the Internet without being stopped by the firewall, by making the following registry modification:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "C:\Documents and Settings\Administrator\Local Settings\Temp\trojan.exe"
With data: "c:\documents and settings\administrator\local settings\temp\trojan.exe:*:enabled:trojan.exe"
Steals information
In the wild, we have observed Backdoor:MSIL/Bladabindi.G stealing the following information about your computer, which it may then send to a remote attacker:
- The country your computer is located in
- The version of Windows installed on your computer
- Your computer's name
- The user name of the currently logged-in user
- Your computer drive's serial number
- Your keystrokes, which it may save to %temp%\<configurable name>.exe.tmp
- The date the malware was installed
Analysis by Marian Radu
Last update 23 April 2013