Threat Database Worms Win32/Bflient

Win32/Bflient

By Domesticus in Worms

Win32/Bflient is a worm that has several variants. These variants are identified by adding a letter to the worm's name (for example, Win32/Bflient.A, Win32/Bflient.B, Win32/Bflient.C, etc.). This worm is often detected with several aliases and is typically found on peer-to-peer networks. Win32/Bflient has the capacity to spread from one computer to the other by taking advantage of network vulnerabilities. Win32/Bflient can spread through a network by infecting shared folders and making changes to the infected computer's firewall. Win32/Bflient infects computer systems with the Windows operating system and PC security analysts consider Win32/Bflient among the top ten most common malware infections of 2011. The most common way in which Win32/Bflient spreads is through removable memory devices. This dangerous malware infection creates a backdoor into the infected computer system. This is nothing more than an opening in the computer's security through, which a hacker can access the victim's system from a remote location.

How Win32/Bflient Attacks a Computer System

Win32/Bflient installs an executable file with the EXE extension in the 'Application Data' directory, changing names depending on the version of Win32/Bflient attacking your computer system (for example, the file associated with Win32/Bflient installs a file named sjlp.exe). As part of its installation process, Win32/Bflient makes a change to the Windows registry, which allows Win32/Bflient to start up every time Windows boots up. In order to spread through removable media, Win32/Bflient copies itself to the drive corresponding to the removable memory device, in a hidden folder named GOLAC and with a file named tornado.exe. It also creates an autorun file, which ensures that Win32/Bflient will start up automatically as soon as the infected drive is connected to a computer system. Once installed, Win32/Bflient has information stealing capabilities. This malware infection will collect the victim's cookies (which can endanger the victim's passwords and personal data), user names, computer name, operating system and version and other general information on the infected computer system. A criminal can then use this information to upload additional malware onto the infected computer system through the backdoor that this worm creates. Win32/Bflient connects to various URLs using HTTP in order to transmit this information. It can download malware from these URLs, receive updates and run specific executable files on the infected computer system.

File System Details

Win32/Bflient may create the following file(s):
# File Name Detections
1. %Drive%\autorun.inf

Registry Details

Win32/Bflient may create the following registry entry or registry entries:
"Shell" = "explorer.exe,%appdata%\sjlp.exe"
Winlogon "Taskman" = "%appdata%\sjlp.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\

Trending

Most Viewed

Loading...