Backdoor:Win32/Blohi.B

Installation

When run, Backdoor:Win32/Blohi.B copies itself to the <system folder> with a random name, for example "dvsqeaig.exe" or "tvfckkdb.exe"

Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, 7, and 8 it is "C:\Windows\System32".

Backdoor:Win32/Blohi.B modifies the following registry entries to ensure that its copy runs at each Windows start:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Sets value: "<random string>", for example "jux5c4vnk0v7ighdm22978wywyejrqkg5t"
With data: "<malware file name and location>", for example "C:\Windows\System32\tvfckkdb.exe"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random string>", for example "jux5c4vnk0v7ighdm22978wywyejrqkg5t"
With data: "<malware file name and location>", for example "C:\Windows\System32\tvfckkdb.exe"

The trojan also modifies the following registry entries to lower your computer's firewall security settings:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "<malware file name and location>", for example "C:\Windows\System32\tvfckkdb.exe"
With data: "<malware file name and location>:*:Enabled:Microsoft (R) Internetal IExplore"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Sets value: "DoNotAllowExceptions"
With data: "dword:00000000"

Payload

Allows backdoor access and control

Backdoor:Win32/Blohi.B monitors the following Korean online-gaming processes:

• highlow2
• DuelPoker
• Baduki
• poker7
• HOOLA3

If it finds any of these processes running, it attempts to connect to a remote server (for example, "61.247.149.<removed>" via TCP port 8886) and can be ordered to perform the following actions by a remote attacker:

• Download and run other malware
• Log keystrokes
• Take screenshots of the gaming applications
• Open and close your computer's CD/DVD drive
• Disable your mouse
• Shut down your computer

Backdoor:Win32/Blohi.B can be ordered to display the following fake Windows error blue screen, which may lure you into restarting your computer to allow the trojan to install additional malware:

The trojan can also be ordered to gather the following information:

• Total physical memory
• Installed security products
• Computer name
• Processor type

The trojan may then send the information to the remote server.

Analysis by Marianne Mallen