Follow:

You have been re-routed to the Backdoor:MSIL/Bladabindi.G write up because Trojan%3aMSIL%2fBladabindi.G has been renamed to Backdoor:MSIL/Bladabindi.G
 

Backdoor:MSIL/Bladabindi.G


Microsoft security software detects and removes this threat.

This threat can give a malicious hacker unauthorized access and control of your PC. This tool is known as "NJ Rat" on the Internet.

The MSIL/Bladabindi family description has more information.

Find out ways that malware can get on your PC.  



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Protect your sensitive information

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

Attackers may use social engineering techniques to try and get Backdoor:MSIL/Bladabindi.G on your computer.

The backdoor drops a copy of itself to the <startup folder> as the following file, so that it will run each time you start your computer:

5cd8f17f4086744065eb0992a09e05a2.exe

The backdoor copies itself to the %TEMP% folder, with a configurable file name, for example:

%TEMP%\<configurable name>.exe, for example %TEMP%\trojan.exe

It makes the following changes to the registry to ensure that it runs each time you start your computer:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<configurable name>" for example, "trojan"
With data: %TEMP%<configurable name>.exe, for example %TEMP%\trojan.exe

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<configurable name>" for example, "trojan"
With data: %TEMP%<configurable name>.exe, for example %TEMP%\trojan.exe

Spreads via...

Removable drives

The backdoor is capable of spreading to other computers via removable drives. It does this by copying itself to rot of the drive, and creating a shortcut file that uses the same name as the drive, and appears with a folder icon.

If you open the shortcut, the malware will run, but at the same time opens an Explorer window; this may be designed to mask the fact that the malware has been run in the background.

Payload

Allows backdoor access and control

Backdoor:MSIL/Bladabindi.G allows unauthorized access and control to your computer. An attacker can perform any number of different actions on an affected computer using this malware. This could include, but is not limited to, the following actions:

  • Modifying system settings
  • Downloading and running files
  • Taking screen captures
  • Spread to other computers using removable drives
  • Uninstalling itself
  • Restarting your computer
  • Updating itself
  • Exiting your computer
  • Uploading data to the attacker

Modifies security settings

Backdoor:MSIL/Bladabindi.G adds itself to the list of applications that are authorized to access the Internet without being stopped by the firewall, by making the following registry modification:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "C:\Documents and Settings\Administrator\Local Settings\Temp\trojan.exe"
With data: "c:\documents and settings\administrator\local settings\temp\trojan.exe:*:enabled:trojan.exe"

Steals information

In the wild, we have observed Backdoor:MSIL/Bladabindi.G stealing the following information about your computer, which it may then send to a remote attacker:

  • The country your computer is located in
  • The version of Windows installed on your computer
  • Your computer's name
  • The user name of the currently logged-in user
  • Your computer drive's serial number
  • Your keystrokes, which it may save to %temp%\<configurable name>.exe.tmp
  • The date the malware was installed

Analysis by Marian Radu


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following file:

    5cd8f17f4086744065eb0992a09e05a2.exe

  • The presence of the following registry modifications:

    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    Sets value: "C:\Documents and Settings\Administrator\Local Settings\Temp\trojan.exe"
    With data: "c:\documents and settings\administrator\local settings\temp\trojan.exe:*:enabled:trojan.exe"

    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "<configurable name>" for example, "trojan"
    With data: %TEMP%<configurable name>.exe, for example %TEMP%\trojan.exe

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "<configurable name>" for example, "trojan"
    With data: %TEMP%<configurable name>.exe, for example %TEMP%\trojan.exe


Prevention


Alert level: Severe
First detected by definition: 1.141.302.0
Latest detected by definition: 1.191.535.0 and higher
First detected on: Nov 23, 2012
This entry was first published on: Apr 19, 2013
This entry was updated on: Sep 15, 2014

This threat is also detected as:
  • Trojan/Win32.Jorik (AhnLab)
  • W32/Bladabindi.D (Norman)
  • Trojan.Bladabindi!4D1D (Rising AV)