Follow:

 

Backdoor:MSIL/Bladabindi


Microsoft security software detects and removes this threat.

This family of malware can be used to take control of your PC and steal your sensitive information. Some variants can use your PC camera to record you or send information about what keys you press to a malicious hacker.

They can be installed on your PC from infected removable drives, such as USB flash drives, or by other malware, including TrojanDropper:MSIL/Habbo.A.



What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Remove program exceptions in the firewall

This threat might add itself to your Windows Firewall exception list. This means it can go online without being blocked. To remove it from the exception list, do the following:

For Windows 8 :

  1. Open Windows Firewall by swiping in from the right edge of the screen, tapping Search (or if you're using a mouse, pointing to the upper-right corner of the screen, moving the mouse pointer down, and then clicking Search), entering firewall in the search box, tapping or clicking Settings, and then tapping or clicking Windows Firewall.
  2. In the left pane, tap or click Allow an app or feature through Windows Firewall.
  3. Tap or click Change settings. You might be asked for an admin password or to confirm your choice.
  4. Select the check box next to the app you want to allow, select the network types you want to allow communication on, and then click OK.

For Windows 7:

  1. Click Start, select Control Panel, then System and Security.
  2. Select Windows Firewall.
  3. On the menu on the left, select Allow a program through Windows Firewall. If you're prompted, type the password or provide confirmation.
  4. Click Change Settings. If you're prompted, type the password or provide confirmation.
  5. Select <program name> from the list of allowed programs and features. Click Remove.
  6. Click OK.

For Windows Vista:

  1. Click Start, select Control Panel, then Security Center.
  2. On the menu on the left, select Windows Firewall.
  3. On the menu on the left, select Allow a program through Windows Firewall. If you are prompted, type the password or provide confirmation.
  4. Select <program name> from the list of allowed programs and features. Click Delete.
  5. Click OK.
Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

Bladabindi variants can be created using the hacker tool known as "NJ Rat", which we detect as HackTool:MSIL/Jaktinier.A and TrojanDropper:MSIL/Habbo.A.

Backdoor:MSIL/Bladabindi copies itself to the following locations:

It modifies the following registry entry so that it runs each time you start your PC:

In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
Sets value: "<32 random alpha-numeric characters>" for example, "5cd8f17f4086744065eb0992a09e05a2"
With data: "%TEMP%\<variable name>.exe"

In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
Sets value: "<32 random alpha-numeric characters>" for example "5cd8f17f4086744065eb0992a09e05a2"
With data: "%TEMP%\<variable name>.exe"

It also runs net.exe to add itself to the firewall exclusion list and bypass your firewall.

Spreads via...

Removable drives

Some Bladabindi variants copy themselves to the root folder of a removable drive. It creates a shortcut file with the name and folder icon of the drive.

When you click on the shortcut the malware is launched and Windows Explorer is opened. This makes it seems as if nothing malicious happened.

Payload

Steals sensitive information

Backdoor:MSIL/Bladabindi gives a hacker backdoor access to your PC. This means they can steal your sensitive information such as: 

  • Your PC name, country and serial number
  • Your Windows user name
  • Your computer's operating system version

The malware can use your PC camera to record and steal your personal information. It checks for camera drivers and installs a DLL plugin so it can record and upload video to a remote hacker.

The trojan can also log your keystrokes. This means a hacker can get access to your user names and passwords. The collected data is saved in %TEMP%\<variable name>.exe.tmp and can then be uploaded to a hacker.

Accepts backdoor commands

Backdoor:MSIL/Bladabindi can also receive the following backdoor commands:

  • Compression for uploading data
  • Download and run of files
  • Exit
  • Load plugins dynamically
  • Ping
  • Registry manipulation
  • Remote shell
  • Restart
  • Screen captures
  • Unistall
  • Update

Connects to remote servers

The trojan can connect to remote servers to download and install updates or other malware. We have seen it connect to: 

  • fox2012.no-ip.org
  • jn.redirectme.net
  • reemo.no-ip.biz
  • moudidz.no-ip.org

Avoids detection

Backdoor:MSIL/Bladabindi uses various .NET obfuscators to hide its code.

It also makes itself a critical process to prevent it being terminated. Your system may crash with a stop code 0x000000F4 if the malware process is interrupted. This can make it hard to clean your PC when the malware is running.

Analysis by Steven Zhou and Zhitao Zhou


Symptoms

The following could indicate that you have this threat on your PC:   

  • You see these entries or keys in your registry:

In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
Sets value: "<32 random alpha-numeric characters>" for example, "5cd8f17f4086744065eb0992a09e05a2"
With data: "%TEMP%\<variable name>.exe"

In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
Sets value: "<32 random alpha-numeric characters>" for example "5cd8f17f4086744065eb0992a09e05a2"
With data: "%TEMP%\<variable name>.exe" 

  • Your system may crash with a stop code 0x000000F4 when you try to remove malware from your computer.

Prevention


Alert level: Severe
First detected by definition: 1.141.3048.0
Latest detected by definition: 1.179.1776.0 and higher
First detected on: Jan 03, 2013
This entry was first published on: Jan 03, 2013
This entry was updated on: May 14, 2014

This threat is also detected as:
  • Trojan.MSIL.Disfa.bsto (Kaspersky)
  • winpe/Troj_Generic.OEKLP (Norman)
  • Generic34.AXLL (AVG)
  • TR/MSILKrypt.6.258 (Avira)
  • Gen:Variant.MSILKrypt.6 (BitDefender)
  • Win32.HLLW.Autoruner.25074 (Dr.Web)
  • MSIL/Injector.BOX trojan (ESET)
  • MSIL/Injector.PEW!tr (Fortinet)