Win32/Bflient [Threat Name] go to Threat

Win32/Bflient.Y [Threat Variant Name]

Category worm
Size 143360 B
Detection created Jan 25, 2011
Detection database version 10181
Aliases Trojan-Dropper.Win32.Agent.ebrk (Kaspersky)
  Win32:Inject-ACY (Avast)
  Dropper.Agent.AGBO.trojan (AVG)
Short description

Win32/Bflient.Y is a worm that spreads via removable media. The worm serves as a backdoor. It can be controlled remotely.

Installation

When executed, the worm copies itself into the following location:

  • %userprofile%\­fxmdk.exe

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Taskman" = "%userprofile%\­fxmdk.exe"

The worm may set the following Registry entries:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "explorer.exe, %userprofile%\­fxmdk.exe"

The worm launches the following processes:

  • %malwarefilepath%
  • svchost.exe

The worm creates and runs a new thread with its own code within these running processes.

Spreading on removable media

The worm copies itself to the following location:

  • %drive%\­fakerica\­shmekerica.exe

The worm creates the following file:

  • %drive%\­autorun.inf

The AUTORUN.INF file contains the path to the malware executable.


Thus, the worm ensures it is started each time infected media is inserted into the computer.

Information stealing

The worm collects the following information:

  • operating system version
  • computer IP address
  • list of running processes

The worm can send the information to a remote machine.

Other information

The worm acquires data and commands from a remote computer or the Internet.


The worm contains a list of (5) URLs. The UDP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • open a specific URL address
  • update itself to a newer version
  • send gathered information
  • uninstall itself

Please enable Javascript to ensure correct displaying of this content and refresh this page.