MSIL/Bladabindi [Threat Name] go to Threat

MSIL/Bladabindi.AH [Threat Variant Name]

Category trojan,worm
Size 32768 B
Aliases Backdoor:MSIL/Bladabindi (Microsoft)
Short description

MSIL/Bladabindi.AH is a worm that spreads via removable media. The worm serves as a backdoor. It can be controlled remotely.


When executed, the worm copies itself in some of the the following locations:

  • %temp%\­test.exe
  • %startup%\­f15f578e0867c14570c1595fb200a5f1.exe

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "f15f578e0867c14570c1595fb200a5f1" = "%malwarefilepath% .."
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "f15f578e0867c14570c1595fb200a5f1" = "%malwarefilepath% .."

The worm executes the following command:

  • netsh firewall add allowedprogram "%malwarefilepath%" "%malwarefilename%" ENABLE

The performed command creates an exception in the Windows Firewall.

Spreading on removable media

MSIL/Bladabindi.AH is a worm that spreads via removable media.

The worm copies itself into the root folders of removable drives using the following name:

  • f15f578e0867c14570c1595fb200a5f1.exe

The worm modifies the following file:

  • %removabledrive%\­autorun.inf

The worm writes the following entries to the file:

  • [autorun]
    • open=%removabledrive%\­f15f578e0867c14570c1595fb200a5f1.exe
    • shellexecute=%removabledrive%

This file is usually dropped into the root folder of available drives in an attempt to autorun a malware executable when the infected drive is mounted.

Information stealing

MSIL/Bladabindi.AH is a worm that steals sensitive information.

The worm collects the following information:

  • volume serial number
  • computer name
  • user name
  • operating system version

The worm is able to log keystrokes.

The worm attempts to send gathered information to a remote machine.

Other information

The worm acquires data and commands from a remote computer or the Internet.

The worm contains a URL address. It tries to connect to the remote machine on port:

  • 5522 (TCP)

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • create Registry entries
  • delete Registry entries
  • capture screenshots
  • perform DoS/DDoS attacks
  • update itself to a newer version
  • uninstall itself

The worm keeps various information in the following Registry key:

  • [HKEY_CURRENT_USER\­software\­f15f578e0867c14570c1595fb200a5f1]

Worm requires the Microsoft .NET framework to run.

Please enable Javascript to ensure correct displaying of this content and refresh this page.