You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Monder.BL

 
Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

Monder.BL is designed to obtain information from the computer and the users. This information is sent to its creator through connections with several websites.

Additionally, it modifies the security settings of Internet Explorer, affecting the protection level of the Internet while users are browsing through it.

One of the means of infection are social networks, like Facebook, and instant messaging programs. In both cases malware is disguised as a link to watch a video.

In the case of Facebook, when a user gets infected, a link to a website, which seems to be a video, is published in their wall and in their friends' wall:

Message published in the wall of Facebook

If users follow the link, a video player is displayed showing a message that requires users to download a newer Flash Player version:

Message requiring the installation of a new Flash Player version

If users decide to download this new version, a window like the following will be displayed, from which the new version can be downloaded:

Download window of the fake Flash Player

Whe the Ok button is clicked, a message informing users that the update can be downloaded is displayed:

Download of the fake Flash Player

Apparently, the name of the file seems to be the real one, as it is flash_player.exe. However, the website from which it is downloaded does not belong to the official one.

If users save this file in their computer, it will hace the following icon, imitating the original one:

Fake icon of Flash Player

When this file is run, the computer will be affected by Monder.BL.

Infection strategy 

Monder.BL creates the following files in the Documents and Settings directory of the user that has logged in:

  • A.EXE
  • B.EXE
  • C.EXE

Additionally, it creates these other files in the folder Local Settings\Temp of the Documents and Settings directory of the user that has logged in:

  • FZJ.EXE. This file creates a DLL called SSHNAS21.DLL in the Windows system directory, which registers itself as an autorun service.
  • FZK.EXE
  • FZL.EXE
  • FZJ.BAT

 

Monder.BL creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
    netsvcs = 0x360074006f00340000004100700070004d0067006d007400000041007500
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters
    ServiceDll = %sysdir%\sshnas21.dll
    where %sysdir% is the Windows system directory.
    By creating these entries and several command lines, it regisiters itself as an autorun service and be run whenever Windows is started.

 

On the other hand, Monder.BL modifies the following entries from the Windows Registry, in order to change the configuration of the security in Internet Explorer:

  • HKEY_USERS\ S-1-5-21-842925246-1425521274-308236825-500\ Software\ Microsoft\ Windows\ CurrentVersion\ Internet Settings \ ZoneMap
    IntranetName = 1
  • HKEY_USERS\ S-1-5-21-842925246-1425521274-308236825-500\ Software\ Microsoft\ Windows\ CurrentVersion\ Internet Settings\ ZoneMaP
    ProxyBypass = 1
  • HKEY_USERS\ S-1-5-21-842925246-1425521274-308236825-500\ Software\ Microsoft\ Windows\ CurrentVersion\ Internet Settings\ ZoneMap
    UNCAsIntranet = 1

Means of transmission 

Monder.BL does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, email messages with attached files, Internet downloads, removable drives likes pendrives, CD-ROMs, , FTPIRC channels, peer-to-peer (P2P) file sharing networks, etc.

Further Details  

Monder.BL is 276,550 bytes in size.