Monder.BL is designed to obtain information from the computer and the users. This information is sent to its creator through connections with several websites.
Additionally, it modifies the security settings of Internet Explorer, affecting the protection level of the Internet while users are browsing through it.
One of the means of infection are social networks, like Facebook, and instant messaging programs. In both cases malware is disguised as a link to watch a video.
In the case of Facebook, when a user gets infected, a link to a website, which seems to be a video, is published in their wall and in their friends' wall:
If users follow the link, a video player is displayed showing a message that requires users to download a newer Flash Player version:
If users decide to download this new version, a window like the following will be displayed, from which the new version can be downloaded:
Whe the Ok button is clicked, a message informing users that the update can be downloaded is displayed:
Apparently, the name of the file seems to be the real one, as it is flash_player.exe. However, the website from which it is downloaded does not belong to the official one.
If users save this file in their computer, it will hace the following icon, imitating the original one:
When this file is run, the computer will be affected by Monder.BL.
Monder.BL creates the following files in the Documents and Settings directory of the user that has logged in:
Additionally, it creates these other files in the folder Local Settings\Temp of the Documents and Settings directory of the user that has logged in:
- FZJ.EXE. This file creates a DLL called SSHNAS21.DLL in the Windows system directory, which registers itself as an autorun service.
Monder.BL creates the following entries in the Windows Registry:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
netsvcs = 0x360074006f00340000004100700070004d0067006d007400000041007500
ServiceDll = %sysdir%\sshnas21.dll
where %sysdir% is the Windows system directory.
By creating these entries and several command lines, it regisiters itself as an autorun service and be run whenever Windows is started.
On the other hand, Monder.BL modifies the following entries from the Windows Registry, in order to change the configuration of the security in Internet Explorer:
- HKEY_USERS\ S-1-5-21-842925246-1425521274-308236825-500\ Software\ Microsoft\ Windows\ CurrentVersion\ Internet Settings \ ZoneMap
IntranetName = 1
- HKEY_USERS\ S-1-5-21-842925246-1425521274-308236825-500\ Software\ Microsoft\ Windows\ CurrentVersion\ Internet Settings\ ZoneMaP
ProxyBypass = 1
- HKEY_USERS\ S-1-5-21-842925246-1425521274-308236825-500\ Software\ Microsoft\ Windows\ CurrentVersion\ Internet Settings\ ZoneMap
UNCAsIntranet = 1
Means of transmission
Monder.BL does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, email messages with attached files, Internet downloads, removable drives likes pendrives, CD-ROMs, , FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.
Monder.BL is 276,550 bytes in size.