Home / malwarePDF  

Backdoor:MSIL/Bladabindi.AJ


First posted on 11 June 2014.
Source: Microsoft

Aliases :

There are no other names known for Backdoor:MSIL/Bladabindi.AJ.

Explanation :

Threat behavior

Installation

Backdoor:MSIL/Bladabindi.AJ copies itself to the following locations:

  • c:\documents and settings\administrator\application data\flashplayerplugin.exe
  • c:\documents and settings\administrator\start menu\programs\startup\ec75da55df7bc76b2f5430df05849464.exe
The malware changes the following registry entries so that it runs each time you start your PC:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "ec75da55df7bc76b2f5430df05849464"
With data: ""c:\documents and settings\administrator\application data\flashplayerplugin.exe" .."

Payload

Changes system security settings

Backdoor:MSIL/Bladabindi.AJ adds itself to the list of applications that can access the Internet without being stopped by your firewall. It does this by making the following registry modification:

Adds value: "C:\Documents and Settings\Administrator\Application Data\FlashPlayerPlugin.exe"
With data: "c:\documents and settings\administrator\application data\flashplayerplugin.exe:*:enabled:flashplayerplugin.exe"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List Allows backdoor access and control

The malware gives a hacker access and control of your PC. They can then perform a number of different actions, including:
  • Downloading and running files
  • Uploading files
  • Spreading malware to other PCs
  • Logging your keystrokes or stealing your sensitive data
  • Modifying your system settings
  • Running or stopping applications
  • Deleting files

This malware description was produced and published using automated analysis of file SHA1 4b14613f52018a8e5372a0febd27e8fcddfadec0.Symptoms

System changes

The following could indicate that you have this threat on your PC:

  • You have these files:

    c:\documents and settings\administrator\application data\flashplayerplugin.exe
    c:\documents and settings\administrator\start menu\programs\startup\ec75da55df7bc76b2f5430df05849464.exe
  • You see these entries or keys in your registry:

    Sets value: "ec75da55df7bc76b2f5430df05849464"
    With data: ""c:\documents and settings\administrator\application data\flashplayerplugin.exe" .."
    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    Sets value: "C:\Documents and Settings\Administrator\Application Data\FlashPlayerPlugin.exe"
    With data: "c:\documents and settings\administrator\application data\flashplayerplugin.exe:*:enabled:flashplayerplugin.exe"
    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

Last update 11 June 2014

 

TOP

Malware :

Family: