Follow:

 

MSIL/Bladabindi


Microsoft security software detects and removes this family of threats.

This malware family can steal your sensitive information and send it to a malicious hacker. They can also download other malware and give backdoor access to your PC.

They can spread via infected removable drives, such as USB flash drives. They can also be downloaded by other malware, or spread though malicious links and hacked websites.

Find out ways that malware can get on your PC.  



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Protect your sensitive information

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

Bladabindi variants can be created using a malicious hacker tool known as NJ Rat. We detect NJ Rat as VirTool:MSIL/Bladabindi.A.

NJ Rat is publicly available and lets a malicious hacker choose the icon of the malware file it creates. This means Bladabindi can have any number of icons designed to mislead you into running the file.

There are some sample file icons used by Bladabindi below.

When the malicious file is run Bladabindi will copy itself to one of following locations with a variable name, for example %TEMP%\svhost.exe:

It copies itself to the following location to make sure it runs each time you start your PC:

It also changes the following registry entry so that it runs each time you start your PC:

In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
Sets value: "<32 random alpha-numeric characters>" for example, "5cd8f17f4086744065eb0992a09e05a2"
With data: "%TEMP%\<variable name>.exe"

In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
Sets value: "<32 random alpha-numeric characters>" for example "5cd8f17f4086744065eb0992a09e05a2"
With data: "%TEMP%\<variable name>.exe

It also runs net.exe to add itself to the firewall exclusion list and bypass your firewall.

Spreads via...

Removable drives

Some Bladabindi variants copy themselves to the root folder of a removable drive. They create a shortcut file with the name and folder icon of the drive. When you click on the shortcut the malware is launched and Windows Explorer is opened. This makes it seems as if nothing malicious happened.

The malicious file can also be downloaded by other malware, or spread though malicious links and hacked websites.

Backdoor:MSIL/Bladabindi can also be downloaded by recent variants of the Worm:VBS/Jenxcus family and a dedicated downloader that we detect as TrojanDownloader:MSIL/Bladabindi.A.

Payload

Steals sensitive information

Backdoor:MSIL/Bladabindi gives a malicious hacker backdoor access to your PC. This means they can steal your sensitive information, including:

  • Your PC name, country and serial number
  • Your Windows user name
  • Your PC operating system version

Bladabindi variants can also steal information such as your:

  • Chrome stored passwords
  • DnyDNS information
  • Firefox stored passwords
  • IE 7 stored passwords
  • No-ip/DUC information
  • Opera stored passwords
  • Paltalk credentials

The malware can also use your PC camera to record and steal your personal information. It checks for camera drivers and installs a DLL plugin so it can record and upload the video to a remote malicious hacker.

The trojan can also log your keystrokes. This means a malicious hacker can get access to your user names and passwords. The collected data is saved in %TEMP%\<variable name>.exe.tmp and can then be uploaded to a malicious hacker.

Accepts backdoor commands

Backdoor:MSIL/Bladabindi can also receive the following backdoor commands:

  • Capture screenshots
  • Compress data to be uploaded
  • Connect to remote servers
  • Download and run files
  • Exit
  • Load plugins dynamically
  • Manipulate the registry
  • Open a remote shell
  • Ping a remote server
  • Restart your PC
  • Uninstall itself
  • Update itself

The trojan can connect to remote servers to download and install updates or other malware. We have seen it connect to:

  • fox2012.no-ip.org
  • jn.redirectme.net
  • moudidz.no-ip.org
  • reemo.no-ip.biz
Additional information

Avoids detection

Backdoor:MSIL/Bladabindi uses various .NET obfuscators to hide its code.

It also makes itself a critical process to prevent it being stopd. Your system may crash with a stop code 0x000000F4 if the malware process is interrupted. This can make it hard to clean your PC when the malware is running.

Analysis by Zhitao Zhou and Francis Tan Seng


Symptoms

The following could indicate that you have this threat on your PC:  

  • You see these entries or keys in your registry:
     
    In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
    Sets value: "<32 random alpha-numeric characters>" for example, "5cd8f17f4086744065eb0992a09e05a2"
    With data: "%TEMP%\<variable name>.exe"

    In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
    Sets value: "<32 random alpha-numeric characters>" for example "5cd8f17f4086744065eb0992a09e05a2"
    With data: "%TEMP%\<variable name>.exe"
     
  • Your system may crash with a stop code 0x000000F4 when you try to remove malware from your PC.

Prevention


Alert level: Severe
This entry was first published on: Jan 08, 2014
This entry was updated on: Sep 15, 2014

This threat is also detected as:
  • Trojan.MSIL.Disfa.bsto (Kaspersky)
  • winpe/Troj_Generic.OEKLP (Norman)
  • Generic34.AXLL (AVG)
  • TR/MSILKrypt.6.258 (Avira)
  • Gen:Variant.MSILKrypt.6 (BitDefender)
  • Win32.HLLW.Autoruner.25074 (Dr.Web)
  • MSIL/Injector.BOX trojan (ESET)
  • MSIL/Injector.PEW!tr (Fortinet)
  • TR/Bladabindi.J.1 (Avira)
  • Trojan.Bladabindi!4BAD (Rising AV)
  • Troj/Bbindi-A (Sophos)
  • Trojan/Win32.Jorik (AhnLab)
  • W32/Bladabindi.D (Norman)
  • Trojan.Bladabindi!4D1D (Rising AV)