Follow:

 

Backdoor:MSIL/Bladabindi


Microsoft security software detects and removes this threat.

This malware family can be used to take control of your PC and steal your sensitive information. Some variants can use your PC camera to record you or send information about what keys you press to a malicious hacker.

They can be installed on your PC from infected removable drives, such as USB flash drives, or by other malware, including TrojanDropper:MSIL/Habbo.A.

Find out ways that malware can get on your PC.  



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Protect your sensitive information

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

Bladabindi variants can be created using the hacker tool known as "NJ Rat", which we detect as HackTool:MSIL/Jaktinier.A and TrojanDropper:MSIL/Habbo.A.

Backdoor:MSIL/Bladabindi copies itself to the following locations:

It modifies the following registry entry so that it runs each time you start your PC:

In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
Sets value: "<32 random alpha-numeric characters>" for example, "5cd8f17f4086744065eb0992a09e05a2"
With data: "%TEMP%\<variable name>.exe"

In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
Sets value: "<32 random alpha-numeric characters>" for example "5cd8f17f4086744065eb0992a09e05a2"
With data: "%TEMP%\<variable name>.exe"

It also runs net.exe to add itself to the firewall exclusion list and bypass your firewall.

Spreads via...

Removable drives

Some Bladabindi variants copy themselves to the root folder of a removable drive. It creates a shortcut file with the name and folder icon of the drive.

When you click on the shortcut the malware is launched and Windows Explorer is opened. This makes it seems as if nothing malicious happened.

Payload

Steals sensitive information

Backdoor:MSIL/Bladabindi gives a hacker backdoor access to your PC. This means they can steal your sensitive information such as: 

  • Your PC name, country and serial number
  • Your Windows user name
  • Your computer's operating system version

The malware can use your PC camera to record and steal your personal information. It checks for camera drivers and installs a DLL plugin so it can record and upload video to a remote hacker.

The trojan can also log your keystrokes. This means a hacker can get access to your user names and passwords. The collected data is saved in %TEMP%\<variable name>.exe.tmp and can then be uploaded to a hacker.

Accepts backdoor commands

Backdoor:MSIL/Bladabindi can also receive the following backdoor commands:

  • Compression for uploading data
  • Download and run of files
  • Exit
  • Load plugins dynamically
  • Ping
  • Registry manipulation
  • Remote shell
  • Restart
  • Screen captures
  • Unistall
  • Update

Connects to remote servers

The trojan can connect to remote servers to download and install updates or other malware. We have seen it connect to: 

  • fox2012.no-ip.org
  • jn.redirectme.net
  • reemo.no-ip.biz
  • moudidz.no-ip.org

Avoids detection

Backdoor:MSIL/Bladabindi uses various .NET obfuscators to hide its code.

It also makes itself a critical process to prevent it being terminated. Your system may crash with a stop code 0x000000F4 if the malware process is interrupted. This can make it hard to clean your PC when the malware is running.

Analysis by Steven Zhou and Zhitao Zhou


Symptoms

The following could indicate that you have this threat on your PC:   

  • You see these entries or keys in your registry:

In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
Sets value: "<32 random alpha-numeric characters>" for example, "5cd8f17f4086744065eb0992a09e05a2"
With data: "%TEMP%\<variable name>.exe"

In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
Sets value: "<32 random alpha-numeric characters>" for example "5cd8f17f4086744065eb0992a09e05a2"
With data: "%TEMP%\<variable name>.exe" 

  • Your system may crash with a stop code 0x000000F4 when you try to remove malware from your computer.

Prevention


Alert level: Severe
First detected by definition: 1.141.3048.0
Latest detected by definition: 1.189.974.0 and higher
First detected on: Jan 03, 2013
This entry was first published on: Jan 03, 2013
This entry was updated on: Sep 15, 2014

This threat is also detected as:
  • Trojan.MSIL.Disfa.bsto (Kaspersky)
  • winpe/Troj_Generic.OEKLP (Norman)
  • Generic34.AXLL (AVG)
  • TR/MSILKrypt.6.258 (Avira)
  • Gen:Variant.MSILKrypt.6 (BitDefender)
  • Win32.HLLW.Autoruner.25074 (Dr.Web)
  • MSIL/Injector.BOX trojan (ESET)
  • MSIL/Injector.PEW!tr (Fortinet)