Follow:

 

Backdoor:MSIL/Bladabindi.AJ


Microsoft security software detects and removes this threat.

This threat can give a malicious hacker unauthorized access and control of your PC.

The MSIL/Bladabindi family description has more information.

Find out ways that malware can get on your PC.  



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Protect your sensitive information

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation
Backdoor:MSIL/Bladabindi.AJ copies itself to the following locations:

  • c:\documents and settings\administrator\application data\flashplayerplugin.exe
  • c:\documents and settings\administrator\start menu\programs\startup\ec75da55df7bc76b2f5430df05849464.exe
 
The malware changes the following registry entries so that it runs each time you start your PC:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "ec75da55df7bc76b2f5430df05849464"
With data: ""c:\documents and settings\administrator\application data\flashplayerplugin.exe" .."
Payload
Changes system security settings
 
Backdoor:MSIL/Bladabindi.AJ adds itself to the list of applications that can access the Internet without being stopped by your firewall. It does this by making the following registry modification:

Adds value: "C:\Documents and Settings\Administrator\Application Data\FlashPlayerPlugin.exe"
With data: "c:\documents and settings\administrator\application data\flashplayerplugin.exe:*:enabled:flashplayerplugin.exe"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
 
Allows backdoor access and control
 
The malware gives a hacker access and control of your PC. They can then perform a number of different actions, including:

  • Downloading and running files
  • Uploading files
  • Spreading malware to other PCs
  • Logging your keystrokes or stealing your sensitive data
  • Modifying your system settings
  • Running or stopping applications
  • Deleting files

This malware description was produced and published using automated analysis of file SHA1 4b14613f52018a8e5372a0febd27e8fcddfadec0.

Symptoms

System changes
The following could indicate that you have this threat on your PC:

  • You have these files:

    c:\documents and settings\administrator\application data\flashplayerplugin.exe
    c:\documents and settings\administrator\start menu\programs\startup\ec75da55df7bc76b2f5430df05849464.exe
  • You see these entries or keys in your registry:

    Sets value: "ec75da55df7bc76b2f5430df05849464"
    With data: ""c:\documents and settings\administrator\application data\flashplayerplugin.exe" .."
    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    Sets value: "C:\Documents and Settings\Administrator\Application Data\FlashPlayerPlugin.exe"
    With data: "c:\documents and settings\administrator\application data\flashplayerplugin.exe:*:enabled:flashplayerplugin.exe"
    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
 

Prevention


Alert level: Severe
First detected by definition: 1.159.1888.0
Latest detected by definition: 1.191.481.0 and higher
First detected on: Oct 10, 2013
This entry was first published on: Jun 03, 2014
This entry was updated on: Sep 15, 2014

This threat is also detected as:
  • Trojan-Dropper.Win32.Agent.kkpa (Kaspersky)