|Short Description||The backdoor is deployed to change system settings and steal sensitive information.|
|Symptoms||Various registry entries are modified.|
|Distribution Method||Not clear yet – but possibly by leveraging software vulnerabilities, unsafe browsing.|
|Detection tool||Download Malware Removal Tool, to See If Your System Has Been Affected By Backdoor:MSIL/Bladabindi.AJ|
Backdoors are quite damaging to the system and should be removed immediately. Backdoor:MSIL/Bladabindi.AJ is one of the latest backdoors reported by Microsoft. It belongs to the MSIL/Bladabindi family designed to steal sensitive data and send it to hackers. It is designed to chance various system settings and spread itself to several locations on the compromised system.
Members of the MSIL/Bladabindi malware family are reported to copy themselves to one of the following directories. It will do this with a different name. Here is a list of the locations exploited by Bladabindi backdoors:
What is the Payload of Backdoor:MSIL/Bladabindi.AJ?
Once it has installed itself on the system, Backdoor:MSIL/Bladabindi.AJ will copy to the following directories:
- c:\documents and settings\administrator\application data\flashplayerplugin.exe
- c:\documents and settings\administrator\start menu\programs\startup\ec75da55df7bc76b2f5430df05849464.exe
After it has places itself in these locations, the malware piece will alter several registry entries so that it runs each time the PC is booted. Here is the information provided by the researchers at Microsoft malware protection center:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: “ec75da55df7bc76b2f5430df05849464”
With data: “”c:\documents and settings\administrator\application data\flashplayerplugin.exe” ..”
The backdoor is also capable of changing multiple system security settings without the user’s knowledge or consent. First, it will add itself to the list of applications that can access the Internet without being blocked by the system’s Firewall. To do this, Backdoor:MSIL/Bladabindi.AJ will modify the Registry by adding value to a subkey:
Adds value: “C:\Documents and Settings\Administrator\Application Data\FlashPlayerPlugin.exe”
With data: “c:\documents and settings\administrator\application data\flashplayerplugin.exe:*:enabled:flashplayerplugin.exe”
As visible by the entries above, the backdoor inserts an executable – FlashPlayerPlugin.exe. Many malware pieces are known to leverage FlashPlayer vulnerabilities. That is why security experts often advise users to avoid using FlashPlayer unless it is required.
Finally, being a backdoor, Bladabindi will grant remote access to hackers so that they can use the compromised PC whenever they want. Such access is often deployed to spread malware, install keyloggers to steal sensitive data, run or stop applications, and delete files.
Backdoor:MSIL/Bladabindi.AJ Removal Options
Considering the malicious character of the Blababindi backdoor, removing it via professional software is highly recommended. However, expert users can try and remove it themselves. You can follow the removal instructions provided below.
1. Start Your PC in Safe Mode to Remove Backdoor:MSIL/Bladabindi.AJ.
For Windows XP, Vista, 7 systems:
1. Remove all CDs and DVDs, and then Restart your PC from the “Start” menu.
– For PCs with a single operating system: Press “F8” repeatedly after the first boot screen shows up during the restart of your computer. In case the Windows logo appears on the screen, you have to repeat the same task again.
– For PCs with multiple operating systems: Тhe arrow keys will help you select the operating system you prefer to start in Safe Mode. Press “F8” just as described for a single operating system.
3. As the “Advanced Boot Options” screen appears, select the Safe Mode option you want using the arrow keys. As you make your selection, press “Enter“.
4. Log on to your computer using your administrator account
While your computer is in Safe Mode, the words “Safe Mode” will appear in all four corners of your screen.
For Windows 8, 8.1 and 10 systems:
Step 1: Open the Start Menu
Step 2: Whilst holding down Shift button, click on Power and then click on Restart.
Step 3: After reboot, the aftermentioned menu will appear. From there you should choose Troubleshoot.
Step 4: You will see the Troubleshoot menu. From this menu you can choose Advanced Options.
Step 5: After the Advanced Options menu appears, click on Startup Settings.
Step 6: Click on Restart.
Step 7: A menu will appear upon reboot. You should choose Safe Mode by pressing its corresponding number and the machine will restart.
2. Remove Backdoor:MSIL/Bladabindi.AJ automatically by downloading an advanced anti-malware program.
To clean your computer you should download an updated anti-malware program on a safe PC and then install it on the affected computer in offline mode. After that you should boot into safe mode and scan your computer to remove all Backdoor:MSIL/Bladabindi.AJ associated objects.