How to Protect your Computer from ‘Bladabindi’ Virus

Its time for Indian computer users get to know about the new virus in the Indian cyber space named ‘Bladabindi’ that can steal personal information from computers running on windows operating system.

The huge number of windows users in India might be the reason for Indians being targeted. This virus is not new to the world but India. So there are some case studies available about this virus and its behavior that can help us get rid of it before the loss occur. Microsoft provided some information on this virus and ways to identify them on windows PCs.

How ‘Bladabindi’ steals your sensitive information?

‘Bladabindi’ opens a backdoor for hackers to steal your sensitive information like following from your PC:

• Your PC name, country and serial number
• Your Windows user name
• Your PC operating system version

As we discussed previously, Bladabindi can be found in different variants. It can also steal information such as your:

• Chrome stored passwords
• DnyDNS information
• Firefox stored passwords
• IE 7 stored passwords
• No-ip/DUC information
• Opera stored passwords
• Paltalk credentials

The hacker can also access your camera to steal and record your personal information. Once infected, the virus checks for camera drives and installs a DLL plugin to run it and record the video and sends it to the remote hacker.

Its variants can also be used as key loggers by the hacker. Once infected, it starts recording the key strokes there by sending him your full login credentials. Take look at the following commands that can be executed using ‘Bladabindi’:

• Capture screenshots
• Compress data to be uploaded
• Connect to remote servers
• Download and run files
• Exit
• Load plugins dynamically
• Manipulate the registry
• Open a remote shell
• Ping a remote server
• Restart your PC
• Uninstall itself
• Update itself

This virus can connect to remote servers and can download and install the other malware and viruses. Microsoft have found this Trojan connecting to following addresses:

• fox2012.no-ip.org
• jn.redirectme.net
• moudidz.no-ip.org
• reemo.no-ip.biz

Identifying ‘Bladabindi’ virus on your computer

Bladabindi virus acts smart when executed. It generally spreads through the ‘autorun’ from the removable devices and unauthorized download files on internet.

This virus tricks you by keeping itself with disguised icon masks that could mislead you into running the program. The list of most common icons it uses for disguising are shown already in previous article.

When run on your computer, the virus copies itself into one of the following locations with a variable name, for example %TEMP%\svhost.exe:

• C:\Users\<user name>\AppData\Local\Temp – %TEMP%
• C:\Users\<user name>\AppData\Roaming – %APPDATA%
• C:\Users\<user name> – %USERPROFILE%
• C:\ProgramData – %ALLUSERPROFILE%
• C:\ProgramData – %windir%

The above locations can be accessed through Win+R(Run) by using the common folder variables shown along with them, for example %APPDATA%.

It also copies itself into startup folder to make sure it runs every time when the computer is started. It can be easily identified with a random 32 alpha-numerical name and .exe extension, for example <startup folder>\5cd8f17f4086744065eb0992a09e05a2.exe

To check your startup folders on your computer, go to any of the following locations or simply copy-paste the path and hit enter:

• C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
• C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

It also changes the windows registry keys to run itself every time when the PC starts. The registry keys that would be modified are as follows:

In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
Sets value: "<32 random alpha-numeric characters>" for example, "5cd8f17f4086744065eb0992a09e05a2"
With data: "%TEMP%\<variable name>.exe"
 
In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
Sets value: "<32 random alpha-numeric characters>" for example "5cd8f17f4086744065eb0992a09e05a2"
With data: "%TEMP%\<variable name>.exe

It also runs net.exe to add itself to the firewall exclusion list and bypass the firewall of your computer.

Protecting the computers from ‘Bladabindi’

There no such special spell to weed out this virus from your computer. All you have to do is:

• Update your antivirus definitions.
• Do not download files from suspicious links.
• Do not care about anonymous email attachments.
• Check your firewall settings and keep it safe always.
• Do not run untrusted files on the computer. Once infected, your data is out.
• Be careful about pen drives and removable media from your friends. They may not be protecting themselves against this virus.
• Do not use patched or cracked software.
• Do not auto-save passwords on web browsers.
• Do not use IE unless you set automatic updates on your computer  to ON.
• Do not use Administrator account for general computer usage. If needed open the program(s) by typing the admin password.

Also check the above discussed locations for the suspicious .exe files and other potent malware programs. Scan your computer completely for viruses and malware. Don’t forget to update it before scanning.

Hope the tips help you keeping your computer safe not only from ‘Bladabindi’ virus but also all kind of its variants.

If you have ever experienced any virus attack on your computer, share your experience with us.