Follow:

 

Trojan:MSIL/Bladabindi.B


Trojan:MSIL/Bladabindi.B is a trojan that bypasses the Windows Firewall in your computer to connect to a remote server. Once connected, it then sends sensitive information about your computer.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

Removing a program exception

This threat may add a malware program to the Windows Firewall exception list. To remove the program exception, follow these steps:

For Windows 8 :

  1. Open Windows Firewall by swiping in from the right edge of the screen, tapping Search (or if you're using a mouse, pointing to the upper-right corner of the screen, moving the mouse pointer down, and then clicking Search), entering firewall in the search box, tapping or clicking Settings, and then tapping or clicking Windows Firewall.
  2. In the left pane, tap or click Allow an app or feature through Windows Firewall.
  3. Tap or click Change settings. You might be asked for an admin password or to confirm your choice.
  4. Select the check box next to the app you want to allow, select the network types you want to allow communication on, and then click OK.

For Windows 7:

  1. Click Start, select Control Panel, then System and Security.
  2. Select Windows Firewall.
  3. On the left-hand menu, select Allow a program through Windows Firewall. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
  4. Click Change Settings. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
  5. Select <program name> from the list of allowed programs and features. Click Remove.
  6. Click OK.

For Windows Vista:

  1. Click Start, select Control Panel, then Security Center.
  2. On the left-hand menu, select Windows Firewall.
  3. On the left-hand menu, select Allow a program through Windows Firewall. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
  4. Select <program name> from the list of allowed programs and features. Click Delete.
  5. Click OK.

For Windows XP:

  1. Use an administrator account to log on.
  2. Click Start, select Run, type wscui.cpl, and then click OK.
  3. In Windows Security Center, click Windows Firewall.
  4. On the Exceptions tab, click <program name> and then click Delete.
  5. Click OK.

 

Threat behavior

Installation

Trojan:MSIL/Bladabindi.B drops a copy of itself into your computer in a predefined path using a predefined file name. In the wild, this trojan has used the following paths and file names:

  • %USERPROFILE%\trojan.exe
  • %USERPROFILE%\Local Settings\Temp\server.exe

It also drops a copy of itself in the Windows startup folder using another predefined file name. In the wild, it has used the following file names:

  • c7192e982641757f14f66356bb4cf303.exe
  • 5cd8f17f4086744065eb0992a09e05a2.exe

It may also drop a copy of itself into the root folder of other drives in your computer using a third predefined file name. In the wild, it has used the following file name:

  • ! my picutre.scr

Trojan:MSIL/Bladabindi.B changes your system registry so that it automatically runs every time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<value>"
With data: "<malware path and file name>"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<value>"
With data: "<malware path and file name>"

For example:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "c7192e982641757f14f66356bb4cf303"
With data: ""C:\Documents and settings\Administrator\trojan.exe" .."

Payload

Bypasses the Windows Firewall

Trojan:MSIL/Bladabindi.B bypasses the Windows Firewall so that it can establish a connection to another computer. It does this by adding itself to the list of authorized applications that can bypass the firewall:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "<malware path and file name>
With data: "<malware path and file name>:*:enabled:<malware file name>"

For example:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "C:\Documents and Settings\Administrator\trojan.exe"
With data: "C:\Documents and Settings\Administrator\trojan.exe:*:enabled:trojan.exe"

Steals sensitive information

Trojan:MSIL/Bladabindi.B tries to connect to a remote server using TCP port 1177. It has been known to try to connect to the following:

  • bmzhr.zapto.org
  • mody-x.no-ip.info

If a connection is established, it sends information including, but not limited to, the following:

  • Your computer name
  • Your Windows user name
  • Your computer's operating system version

Analysis by Gilou Tenebro


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following files:
    • %USERPROFILE%\trojan.exe
    • %USERPROFILE%\Local Settings\Temp\server.exe
    • ! my picutre.scr

Prevention


Alert level: Severe
First detected by definition: 1.149.346.0
Latest detected by definition: 1.179.1106.0 and higher
First detected on: Apr 22, 2013
This entry was first published on: Jul 26, 2012
This entry was updated on: Jan 21, 2013

This threat is also detected as:
  • TR/Bladabindi.J.1 (Avira)
  • Trojan.Bladabindi!4BAD (Rising AV)
  • Troj/Bbindi-A (Sophos)