Follow:

You have been re-routed to the Backdoor:Win32/Blohi.B write up because Backdoor%3aWin32%2fBlohi.B has been renamed to Backdoor:Win32/Blohi.B
 

Backdoor:Win32/Blohi.B


Backdoor:Win32/Blohi.B is a backdoor trojan that allows unauthorized access and control of an affected computer. It can log keystrokes, monitor certain Korean online-gaming processes, take screenshots, display a fake Windows error blue screen and download other malware.


What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

Threat behavior

Installation

When run, Backdoor:Win32/Blohi.B copies itself to the <system folder> with a random name, for example "dvsqeaig.exe" or "tvfckkdb.exe"

Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, 7, and 8 it is "C:\Windows\System32".

Backdoor:Win32/Blohi.B modifies the following registry entries to ensure that its copy runs at each Windows start:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Sets value: "<random string>", for example "jux5c4vnk0v7ighdm22978wywyejrqkg5t"
With data: "<malware file name and location>", for example "C:\Windows\System32\tvfckkdb.exe"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random string>", for example "jux5c4vnk0v7ighdm22978wywyejrqkg5t"
With data: "<malware file name and location>", for example "C:\Windows\System32\tvfckkdb.exe"

The trojan also modifies the following registry entries to lower your computer's firewall security settings:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "<malware file name and location>", for example "C:\Windows\System32\tvfckkdb.exe"
With data: "<malware file name and location>:*:Enabled:Microsoft (R) Internetal IExplore"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Sets value: "DoNotAllowExceptions"
With data: "dword:00000000"

Payload

Allows backdoor access and control

Backdoor:Win32/Blohi.B monitors the following Korean online-gaming processes:

  • highlow2
  • DuelPoker
  • Baduki
  • poker7
  • HOOLA3

If it finds any of these processes running, it attempts to connect to a remote server (for example, "61.247.149.<removed>" via TCP port 8886) and can be ordered to perform the following actions by a remote attacker:

  • Download and run other malware
  • Log keystrokes
  • Take screenshots of the gaming applications
  • Open and close your computer's CD/DVD drive
  • Disable your mouse
  • Shut down your computer

Backdoor:Win32/Blohi.B can be ordered to display the following fake Windows error blue screen, which may lure you into restarting your computer to allow the trojan to install additional malware:

The trojan can also be ordered to gather the following information:

  • Total physical memory
  • Installed security products
  • Computer name
  • Processor type

The trojan may then send the information to the remote server.

Analysis by Marianne Mallen


Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following registry modifications:

    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
    Sets value: "<random string>", for example "jux5c4vnk0v7ighdm22978wywyejrqkg5t"
    With data: "<malware file name and location>", for example "C:\Windows\System32\tvfckkdb.exe"

    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "<random string>", for example "jux5c4vnk0v7ighdm22978wywyejrqkg5t"
    With data: "<malware file name and location>", for example "C:\Windows\System32\tvfckkdb.exe"

    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    Sets value: "<malware file name and location>", for example "C:\Windows\System32\tvfckkdb.exe"
    With data: "<malware file name and location>:*:Enabled:Microsoft (R) Internetal IExplore"

    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    Sets value: "DoNotAllowExceptions"
    With data: "dword:00000000"

  • The display of the following image:
     

 

Prevention


Alert level: Severe
First detected by definition: 1.139.1429.0
Latest detected by definition: 1.187.403.0 and higher
First detected on: Nov 06, 2012
This entry was first published on: Nov 09, 2012
This entry was updated on: Dec 21, 2012

This threat is also detected as:
  • Trojan.ADH.2 (Symantec)
  • Win32/VB.QIK (McAfee)
  • W32/VBTroj.KBWM (Norman)