Home / malware

PDF

Trojan:Win32/BadBind.B

First posted on 31 January 2014.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/BadBind.B.

Explanation :

Threat behavior

Installation

Trojan:Win32/BadBind.B copies itself to %windir%\adobe\adobe flash player.exe. The malware changes the following registry entries so that it runs each time you start your PC:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Adobe Flash Player"
With data: "c:\windows\adobe\adobe flash player.exe" The malware creates the following files on your PC:

• %windir%\assembly\nativeimages_v2.0.50727_32\temp\zapf.tmp\system.data.entity.design.dll

Payload

Contacts remote host

Trojan:Win32/BadBind.B might contact a remote host at bindfun.com using port 80. Commonly, malware does this to:

• Report a new infection to its author
• Receive configuration or other data
• Download and run files, including updates or other malware
• Receive instructions from a remote hacker
• Upload data taken from your PC

This malware description was produced and published using automated analysis of file SHA1 2e4a601c786f6c43fbbf609d6b78c5f5d5bd8df0.Symptoms

System changes

The following could indicate that you have this threat on your PC:

• You have these files:
  
  %windir%\adobe\adobe flash player.exe
  %windir%\assembly\nativeimages_v2.0.50727_32\temp\zapf.tmp\system.data.entity.design.dll

• You see these entries or keys in your registry:
  
  Sets value: "Adobe Flash Player"
  With data: "c:\windows\adobe\adobe flash player.exe"
  In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Last update 31 January 2014

 

TOP