Backdoor msil bladabindi rfn đánh giá năm 2024

Backdoor.Bladabindi is the detection for a family of backdoors that steal sensitive information from the affected system.

Type and source of infection

The information stolen by Backdoor.Bladabindi is sent to the threat actors. Some members of this family can also download and execute additional malware.This threat uses several methods of spreading:

• Infected removable drives
• Installed by other Trojans
• Links to infected websites

Protection

Malwarebytes blocks Backdoor.Bladabindi

Home remediation

Malwarebytes can remove Backdoor.Bladabindi without further user interaction.

1. Please download Malwarebytesto your desktop.
2. Double-click MBSetup.exeand follow the prompts to install the program.
3. When your Malwarebytes for Windowsinstallation completes, the program opens to the Welcome to Malwarebytes screen.
4. Click on the Get started button.
5. Click Scan to start a Threat Scan.
6. Click Quarantineto remove the found threats.
7. Reboot the system if prompted to complete the removal process.

Business remediation

How to remove Backdoor.Bladabindi with the Malwarebytes Nebula console

You can use the Malwarebytes Anti-Malware Nebula console to scan endpoints.

Nebula endpoint tasks menu

Choose the Scan + Quarantine option. Afterwards you can check the Detections pageto see which threats were found.

Một worm trong Windows lây lan qua các ổ đĩa di động bị phát hiện đang phát tán trojan BLADABINDI kèm các nguy cơ cài backdoor, tấn công DDoS và RAT.

Trojan BLADABINDI từng được sử dụng trong nhiều chiến dịch tấn công mạng do có khả năng thích ứng cao, cho phép hacker điều chỉnh trojan cho từng mục tiêu cụ thể. Trojan này có thể được sử dụng như một backdoor, để thực hiện các cuộc tấn công DDoS với vai trò một botnet, và cho phép người dùng trích xuất thông tin bằng cách sử dụng mô-đun keylogger của nó.

Trend Micro đã phát hiện ra một chiến dịch mã độc mới được cho là sử dụng worm trong Windows, có tên Worm.Win32.BLADABINDI.AA để cài đặt một phiên bản không file của backdoor BLADABINDI.

BLADABINDI sử dụng ngôn ngữ kịch bản AutoIt để biên dịch cả kịch bản lệnh thả và thông tin gói payload khi thả xuống các thiết bị bị tấn công, cùng lúc sử dụng gói UPX để làm xáo trộn chính trojan khiến việc phát hiện trở nên khó khăn hơn nhiều.

Một khi trojan tiếp cận được một hệ thống mới, nó sẽ tìm và xóa các tệp nhị phân Tr.exe khỏi thư mục tạm thời và cài đặt phiên bản của nó, đồng thời kéo dài sự tồn tại của nó bằng cách sao chép chính nó vào thư mục Windows Startup và tạo một mục đăng ký AdobeMX trong đó sử dụng reflective loading để tải mã độc từ bộ nhớ.

Biến thể BLADABINDI này sử dụng nhiều kỹ thuật để duy trì sự tồn tại

Tải mã độc từ bộ nhớ hệ thống khiến BLADABINDI trở thành một mã độc không file, giúp nó không bị phát hiện bởi các giải pháp phòng chống mã độc chỉ thực hiện quét các ổ đĩa hệ thống.

Dòng BLADABINDI này đi kèm với nhiều công cụ backdoor từ ghi lại thao tác bàn phím, đánh cắp thông tin xác thực từ các trình duyệt web đến truy xuất và thực thi các tệp.

Trên thực tế, biến thể BLADABINDI này sử dụng các ổ đĩa di động để tự phát tán khiến nó trở nên đặc biệt nguy hiểm đối với các doanh nghiệp và người dùng sử dụng các thiết bị với mục đích chia sẻ tài liệu.

Trend Micro khuyến cáo người dùng hạn chế và bảo đảm an toàn trong việc sử dụng USB và ổ cứng di động, hoặc các công cụ như PowerShell (đặc biệt trên các hệ thống có dữ liệu nhạy cảm) và chủ động giám sát cổng, điểm kết nối cuối, mạng và máy chủ để phát hiện các hành vi và chỉ số bất thường.

Please do the following so that we may take a closer look at your system for any possible infections.

Do these 2 steps so that ALL folders & Files are set to SHOW, plus also, Turn OFF Windows Fast start. Show-Hidden-Folders-Files-Extensions https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/

Disable-Fast-Startup https://forums.malwarebytes.com/topic/299350-disable-fast-startup/

Then please restart the computer and do the following.

WARNING: Do Not click the Repair option under Advanced unless requested by a Malwarebytes support agent or authorized helper

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

• Download the Malwarebytes Support Tool
• In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
• In the User Account Control pop-up window, click Yes to continue the installation
• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
• A zip file named mbst-grab-results.zip will be saved to the Desktop or on the hidden Public desktop (usually C:\Users\Public\Desktop), please upload that file on your next reply Then be patient for the next expert to take your case.

Thank you

Link to post

Share on other sites

---

ID:1597834

• * Share

Hello @Yash87

Do provide ( attach) the support tool ZIP report. Look real close at the information detail shown on the screen-grab from MS Defender. Look real close on the Downloads folder. Where did you get "Driver Easy Professional ?? I would suggest you delete all that is related to it.

Link to post

Share on other sites

---

• Author

ID:1597835

• * Share

Can I talk to one of the staff??

Link to post

Share on other sites

---

ID:1597837

• * Share

This is a public forum where people post their issue and typically experts help out. There are no telephones involved. What is it now ?

Link to post

Share on other sites

---

ID:1597840

• * Share

1. Do the steps suggested above by Porthos

2. The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted items from a system. This tool does not install. It is run on-demand.

This link is for the 64-bit version of MSERT.exe . Be sure you save the file first

Upon completion of the save, Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan. That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well

Launch MSERT.exe Accept the agreement terms of Microsoft Select CUSTOM scan Look on Scan Options & select CUSTOM scan & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.

Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run. Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those. We only rely on the end result that is on the log-report-file.

This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log

the log will be at

Windows\debug\msert.log Please attach that log with your reply

It is normal for the Microsoft Safety Scanner to show 'detections' during the scan process on the screen itself.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Link to post

Share on other sites

---

ID:1597879

• * Share

Results Summary:

---

No infection found. Successfully Submitted MAPS Report Successfully Submitted Heartbeat Report Microsoft Safety Scanner Finished On Thu Nov 2 00:17:50 2023

Thank you for running the Safety Scanner.

Please run the following custom script. Read all of this before you start. The meaning of the "Fix button" operation here is just to run a custom script just for this particular machine.

NOTE-1: This custom fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will attempt to run a scan with Microsoft Defender antivirus. It will attempt to clear Cache files of web browsers. It will attempt to clear temporary file areas. It rebuilds the Winsock. Depending on the speed of your computer this fix may take 50-55 minutes or more.

Please Close all open work before you actually do begin this run.

FRSTENGLISH.exe program location: Downloads folder. The tool is already on system. That is what we will use.

Please download the attached fixlist.txt file and save it to Downloads

Fixlist.txt <- < - - - -

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

Right-click with your mouse on FRSTENGLISH and select "Run as Administrator" and reply Yes and allow it to proceed when prompted. That is important.

next, press the Fix button just once and wait.

You will see a green-color scroll display while FRST is running. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

NOTICE: For potential outside readers, This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause harm.

Link to post

Share on other sites

---

• Author

ID:1597952

• * Share

this is the fixlog u requested, also when i used FRSTENGLISH by default it had registry, services, drivers, scheduled tasks, processes, internet and onemonth whitelisted. these options were all ticked by default

Fixlog.txt

Link to post

Share on other sites

---

• Author

ID:1597987

• * Share

um what do i do now? please help

Link to post

Share on other sites

---

ID:1597988

• * Share

The custom-run is good. The Windows System File Checker has made some corrections.

Windows Resource Protection found corrupt files and successfully repaired them.

This last run has completed what was originally intended. 

As a next step, I suggest the following: This is for a scan with ESET Onlinescanner (free). ESET is a well-respected, well-known entity and tool. ESET Onlinescanner checks for viruses, other malware, adwares, & potentially unwanted applications. This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"

• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get it started.
• When presented with the initial ESET options, click on "Computer Scan".
• Next, when prompted by Windows, allow it to start by clicking Yes
• When prompted for scan type, Click on CUSTOM scan and select C drive to be scanned
• Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"
• and click on Start scan button.

Have patience. The entire process may take an hour or more. There is an initial update download. There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours.

• At screen "Detections occurred and resolved" click on blue button "View detected results"
• On next screen, at lower left, click on blue "Save scan log"
• View where file is to be saved. Provide a meaningful name for the "File name:"
• On last screen, set to Off (left) the option for Periodic scanning
• Click "save and continue"
• Please attach the report file so I can review

Link to post

Share on other sites

---

• Author

ID:1598069

• * Share

Um hello? Sorry i just wanna know if I'm good to go? Kinda haven't touched my pc coz of this. So I just wanna fix this.

Link to post

Share on other sites

---

• Author

ID:1598098

• * Share

Let me know what to do next, I'll be waiting 👍🏻

Link to post

Share on other sites

---

• Author

ID:1598112

• * Share

It's still detecting Backdoor:MSIL/Bladabindi.AJ

Link to post

Share on other sites

---

ID:1598117

• * Share

Now a different scan with another security scanner.

You should first Close as many of your open-user app-screens as possible. That is to say, Exit all that you do not need to have open.

This with Kaspersky KVRT tool.

Download Kaspersky Virus Removal Tool (KVRT) from here: https://www.kaspersky.com/downloads/thank-you/free-virus-removal-tool and save to your Desktop.

Next, Select the Windows Key and R Key together, the "Run" box should open.

Drag and Drop KVRT.exe into the Run Box.

C:\Users\Yash\DESKTOP\KVRT.exe will now show in the run box.

add

-dontencrypt

Note the space between KVRT.exe and -dontencrypt

C:\Users\Yash\DESKTOP\KVRT.exe -dontencrypt

should now show in the Run box.

That addendum to the run command is very important.

To start the scan select OK in the "Run" box.

The Windows Protected your PC window "may" open, IF SO then select "More Info"

A new Window will open, select "Run anyway"

A EULA window will open, tick both confirmation boxes then select "Accept"

Go slow & careful on this part. In the new window select "Change Parameters"

• In the new window ensure the following boxes are ticked:
  • System memory
  • Startup objects
  • Boot sectors
  • System drive
• Then select "OK" and "Start scan“.

The Kaspersky tool is very thorough so will take a considerable time to complete, please allow it to finish. Also while Kaspersky runs do not use your PC for anything else..

• completed: If entries are found, there will be options to choose. If "Cure" is offered, leave as it is. For any other options change to "Delete", then select "Continue".
• Usually, your system needs a reboot to finish the removal process.
• Logfiles can be found on your systemdrive (usually C: ), similar like this:

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20231104_203000.klr

• Right click direct onto those reports, select > open with > Notepad.
• Save the files and attach them with your next reply
• Have lots of patience, as this will most likely run for many hours.
• Also, be aware I am a volunteer here. I help here as personal time permits. I am not on all the time.

Link to post

Share on other sites

---

• Author

ID:1598209

• * Share

the scan was complete, nothing was found.

Link to post

Share on other sites

---

• Author

ID:1598211

• * Share

Also i tried to right click on details but I didn't get any option after right clicking

Link to post

Share on other sites

---

ID:1598213

• * Share

That is a fine result. One other scan here.

TrendMicro HouseCall scan from this Link

First, Download & Save to your Downloads folder the appropriate HouseCallLauncher Once the download is complete, go to where the Housecalllauncher is saved & double-click it to start it.

The program will check with TrendMicro & do a update run.

Next it will show the Disclosure window.

Click Next to proceed.

The end user license agreement is presented. Click the Accept radio button & click Next to proceed.

I suggest a CUSTOM scan on C drive.

IF you wish a Full scan or a Custom scan, first click on the Settings

then you can select which drives you want to include in the scan.

The default is a Quick scan.

Click Scan now when ready.

The scan progress will then be displayed. Monitor the progress or just leave it alone until it finishes this phase.

When the scan phase has completed, if any items are tagged, you will see a list, showing the file & its location, the classification of the threat, the type, risk, and Action option.

If you see an item that you know is safe, you can click the Action , and select Ignore.

When all done & ready, click the Fix now button. The "Summary" at the end at "Review Results" is what matters.

Link to post

Share on other sites

---

• Author

ID:1598251

• * Share

says no threats, also sorry for constantly posting a message here.

Link to post

Share on other sites

---

ID:1598263

• * Share

Hello. The TrendMicro Housecall result is excellent. Close that window ( if it is still open). We are done with it.

[ Do a custom scan with Microsoft Defender Antivirus ]

Just want to do a visual check in Windows Security to see (visually) that Microsoft Defender is on , and to do a Custom scan.

From the Windows Start menu, select Settings, then select Update and Security.

Next, look at the left-side menu & select Windows Security

Next, In Windows Security section: Click on the grey button Open Windows Security

Now, click on the shield Virus and threat protection

Look to see that Microsoft Defender is shown & available for use.

On the next display, look at all the options. Look down the list and see "Check for Updates" .

You should click on that to have the system check for updates for Windows Defender. Watch & wait for that to complete.

Please also note that the Scan options (all) can be displayed by clicking on Scan options. Click that & select CUSTOM scan & then pick the C drive & have it go forward.

Once it has started the scan phase, you can go take a long break. This scan may well take many, many hours. Let me know the results.

Link to post

Share on other sites

---

• Author

ID:1598271

• * Share

well..... yeah also is it because that software which i downloaded, the drive easy file which updates drivers. well i used that to update most my drivers. so there might be a chance that might be the cause??

Link to post

Share on other sites

---

ID:1598283

• * Share

Look on that screen. There is a Start actions button. Plus furthermore, I had urged you to completely uninstall "Driver Easy". I do not recommend it. and as I said, you have to dig and follow the button prompts on Microsoft Defender.

One gets legitimate "drivers" from the legitimate and appropriate source. For application programs, from the software publisher. For hardware, ir is best to get from the hardware manufacturer website. Otherwise, run a Microsoft Windows Update run and see what is available ( as a regular release). Not any "preview".

Link to post

Share on other sites

---

• Author

ID:1598311

• * Share

I have clicked on start action several times but the backdoor always shows up again after taking action several times. Also this driver easy was completely uninstalled and deleted from my pc but yet it shows that it's there even after clearing it from my recycle bin and everything else. I had also deleted the setup files, this was all done at the start before i even posted here. I was so confused as to why it still showed the location of that file in downloads as I had completely deleted everything of driver easy.