MSIL/Bladabindi [Threat Name] go to Threat

MSIL/Bladabindi.J [Threat Variant Name]

Category trojan,worm
Size 1382400 B
Aliases Worm:MSIL/Necast.J (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely. The file is run-time compressed using Enigma Protector .


When executed the trojan copies itself in the following locations:

  • %temp%\­%TEMP%.scr
  • %startup%\­4a7c8a49d8af25eb6c00b8697c49e3a0.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "4a7c8a49d8af25eb6c00b8697c49e3a0" = "%temp%\­%TEMP%.scr"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "4a7c8a49d8af25eb6c00b8697c49e3a0" = "%temp%\­%TEMP%.scr"

The trojan may execute the following commands:

  • netsh firewall add allowedprogram "%temp%\­%TEMP%.scr" "%TEMP%.scr" ENABLE

The performed command creates an exception in the Windows Firewall.


MSIL/Bladabindi.J is a trojan that spreads by copying itself into the root folders of available drives.

The following filename is used:

  • ! My Picutre.SCR
Information stealing

MSIL/Bladabindi.J is a trojan that steals sensitive information.

The following information is collected:

  • volume serial number
  • computer name
  • user name
  • information about the operating system and system settings
  • hardware information

The trojan is able to log keystrokes.

The data is saved in the following file:

  • %temp%\­%TEMP%.scr.tmp

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains an URL address. It tries to connect to remote machine to port: 1177 (TCP).

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • log keystrokes
  • create Registry entries
  • delete Registry entries
  • capture screenshots
  • execute shell commands
  • update itself to a newer version

The trojan keeps various information in the following Registry key:

  • [HKEY_CURRENT_USER\­Software\­4a7c8a49d8af25eb6c00b8697c49e3a0]

Please enable Javascript to ensure correct displaying of this content and refresh this page.