Trojan.MSIL.Bladabindi_9c376b9982
HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Zusy.143250 (B) (Emsisoft), Trojan.MSIL.Bladabindi.FD, GenericAutorunWorm.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 9c376b9982d85233c3b3644765c1370d
SHA1: a24bb68107122564dfbe0c2df5b31455e50ef8ea
SHA256: 4f284f4ca76ebfcf6b5f587672556bc6d66237ddbbc49ad4621eafe3cf5d6943
SSDeep: 768:agTMFRhoYTqiv2TPdRvMsipGiVxLwsYD2eK/0m2aZ gz/KGBC6ajuqq:dTsRhoYuiSP0Jpz ib8m2 BdTqq
Size: 57856 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2015-05-16 10:49:19
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1936
netsh.exe:364
The Trojan injects its code into the following process(es):
%original file name%.exe:1280
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:1280 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\spread.exe (57 bytes)
%System%\drivers\etc\hosts (222 bytes)
C:\autorun.inf (49 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\ba4c12bee3027d94da5c81db2d196bfd.exe (399 bytes)
Registry activity
The process %original file name%.exe:1936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 CE 1F BE BC 4F FB 14 AB 83 4F C2 2E CD 29 25"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process %original file name%.exe:1280 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 81 4A 57 13 A4 54 9E 78 6B 3E 31 93 68 75 BD"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKCU\Software\ba4c12bee3027d94da5c81db2d196bfd]
"US" = "!"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Environment]
"SEE_MASK_NOZONECHECKS" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ba4c12bee3027d94da5c81db2d196bfd" = "c:\%original file name%.exe .."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ba4c12bee3027d94da5c81db2d196bfd" = "c:\%original file name%.exe"
Task Manager is disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"
The process netsh.exe:364 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 D7 FD EE 9C C2 34 22 83 EF 68 7B 84 63 B5 12"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "C:\%original file name%.exe:*:Enabled:%original file name%.exe"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 956 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | www.virustotal.com |
| 127.0.0.1 | anubis.iseclab.org |
| 127.0.0.1 | www.virscan.org |
| 127.0.0.1 | virusscan.jotti.org |
| 127.0.0.1 | scanner.virus.org |
| 127.0.0.1 | scanner.novirusthanks.org |
| 127.0.0.1 | metascan-online.com |
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
VersionInfo
Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 6.1.7601.17514
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: EXPLORER.EXE
Internal Name: explorer
File Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
File Description: Windows Explorer
Comments:
Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 8192 | 26516 | 26624 | 3.81104 | a73aa2a150bdbf8793ea240b43e20cf4 |
| .sdata | 40960 | 488 | 512 | 4.60142 | ba1a51c546597b8fdcb7d0154e4ab651 |
| .rsrc | 49152 | 29076 | 29184 | 5.21438 | 8cb4f765d997f71a3a7455e8a3fc85c8 |
| .reloc | 81920 | 12 | 512 | 0.056519 | 01942ce6d5fd164bddf4ac90fbc430e9 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
.text
`.rsrc
@.reloc
v2.0.50727
w.exe
Microsoft.VisualBasic
System.Windows.Forms
System.Drawing
avicap32.dll
user32.dll
kernel32.dll
Microsoft.VisualBasic.ApplicationServices
.ctor
System.CodeDom.Compiler
System.ComponentModel
Microsoft.VisualBasic.Devices
System.Diagnostics
get_WebServices
.cctor
HelpKeywordAttribute
System.ComponentModel.Design
Microsoft.VisualBasic.CompilerServices
MyWebServices
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.IO
get_ExecutablePath
System.Collections
Operators
OperatingSystem
System.Text
System.Collections.Generic
System.IO.Compression
System.Threading
Microsoft.Win32
System.Reflection
ProcessWindowStyle
WebClient
System.Net
CopyPixelOperation
System.Drawing.Imaging
RegistryKey
GetKey
System.Net.Sockets
TcpClient
Microsoft.VisualBasic.MyServices
OpenSubKey
wVirtKey
lpKeyState
GetKeyboardState
MapVirtualKey
GetKeyboardLayout
Keyboard
GetExecutingAssembly
GetAsyncKeyState
vKey
Keys
8.0.0.0
My.User
My.Application
My.WebServices
My.Computer
4System.Web.Services.Protocols.SoapHttpClientProtocol
_CorExeMain
mscoree.dll
CreateSubKey
Windows
Mr.Wolf
cmd.exe
.^:-_`_:*^_^`-:-;^
UseShellExecute
WindowStyle
GetSubKeyNames
DeleteSubKeyTree
DeleteSubKey
cmd.exe /k ping 0 & del "
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
C:\Users\
cports
ProcessHacker
Software\Microsoft\Windows\CurrentVersion\Run
\autorun.inf
shellexecute=
autorun.inf
??/??/??
ShiftKeyDown
WScript.Shell
&explorer /root,"Í%
%SystemRoot%\system32\SHELL32.dll,3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
%System%\drivers\etc\hosts
127.0.0.1
VVV.virustotal.com
anubis.iseclab.org
VVV.virscan.org
virusscan.jotti.org
scanner.virus.org
scanner.novirusthanks.org
metascan-online.com
\edonkey2000\incoming\
%original file name%.exe_1280_rwx_00400000_00014000:
.text
`.rsrc
@.reloc
v2.0.50727
w.exe
Microsoft.VisualBasic
System.Windows.Forms
System.Drawing
avicap32.dll
user32.dll
kernel32.dll
Microsoft.VisualBasic.ApplicationServices
.ctor
System.CodeDom.Compiler
System.ComponentModel
Microsoft.VisualBasic.Devices
System.Diagnostics
get_WebServices
.cctor
HelpKeywordAttribute
System.ComponentModel.Design
Microsoft.VisualBasic.CompilerServices
MyWebServices
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.IO
get_ExecutablePath
System.Collections
Operators
OperatingSystem
System.Text
System.Collections.Generic
System.IO.Compression
System.Threading
Microsoft.Win32
System.Reflection
ProcessWindowStyle
WebClient
System.Net
CopyPixelOperation
System.Drawing.Imaging
RegistryKey
GetKey
System.Net.Sockets
TcpClient
Microsoft.VisualBasic.MyServices
OpenSubKey
wVirtKey
lpKeyState
GetKeyboardState
MapVirtualKey
GetKeyboardLayout
Keyboard
GetExecutingAssembly
GetAsyncKeyState
vKey
Keys
8.0.0.0
My.User
My.Application
My.WebServices
My.Computer
4System.Web.Services.Protocols.SoapHttpClientProtocol
_CorExeMain
mscoree.dll
CreateSubKey
Windows
Mr.Wolf
cmd.exe
.^:-_`_:*^_^`-:-;^
UseShellExecute
WindowStyle
GetSubKeyNames
DeleteSubKeyTree
DeleteSubKey
cmd.exe /k ping 0 & del "
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
C:\Users\
cports
ProcessHacker
Software\Microsoft\Windows\CurrentVersion\Run
\autorun.inf
shellexecute=
autorun.inf
??/??/??
ShiftKeyDown
WScript.Shell
&explorer /root,"Í%
%SystemRoot%\system32\SHELL32.dll,3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
%System%\drivers\etc\hosts
127.0.0.1
VVV.virustotal.com
anubis.iseclab.org
VVV.virscan.org
virusscan.jotti.org
scanner.virus.org
scanner.novirusthanks.org
metascan-online.com
\edonkey2000\incoming\
%original file name%.exe_1280_rwx_675A6000_00003000:
.Qg<-Qg
*Rg`.Rg|)RgL Rg
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1936
netsh.exe:364 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\spread.exe (57 bytes)
%System%\drivers\etc\hosts (222 bytes)
C:\autorun.inf (49 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\ba4c12bee3027d94da5c81db2d196bfd.exe (399 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ba4c12bee3027d94da5c81db2d196bfd" = "c:\%original file name%.exe .."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ba4c12bee3027d94da5c81db2d196bfd" = "c:\%original file name%.exe" - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
