F-Secure
Tools
Bacalid.A
Summary
Bacalid.A is a polymorphic virus that infects .EXE and .DLL files. It uses some stealth mechanisms and obfuscation techniques to hide itself, therefore preventing easy detection. See the details section for more information.Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
Additional Details
Bacalid.A is a polymorphic file infector. Upon execution of an infected file it will drop the following DLL component into the temporary folder:
Note - some instances might drop:
It injects the DLL component primarily to EXPLORER.EXE, and also to other running processes.
Bacalid.A queries the Windows ANSI code page identifier for the system. If it is equal to 936 (Simplified Chinese (GB2312); Chinese Simplified (GB2312-80)) it will not continue its malicious routine.
Bacalid.A infinitely loops until it sees an Internet Connection. If no Internet connection is present it will not proceed to its malicious routine.
It checks for the following event to ensure that only one instance of itself is running in memory:
Note - some instances check for:
Bacalid.A infects files with the following extensions:
It searches for all fixed drives starting from Z: to C:
It avoids infecting the following directories:
It infects by appending 2 sections at the end of the file.
It also removes the DOS stub (This program cannot be run in DOS mode).
It also adds garbage code to itself to prevent easy detection.
Aside from searching for files, it also waits for the following API calls to trigger its infection:
It hooks the following APIs to hide the Dropped DLL component by returning "." instead of its original filename:
Note: The code of this malware is very unstable, corrupting some instances of the infected files.
- VCab.DLL
Note - some instances might drop:
- VGod.DLL
It injects the DLL component primarily to EXPLORER.EXE, and also to other running processes.
Bacalid.A queries the Windows ANSI code page identifier for the system. If it is equal to 936 (Simplified Chinese (GB2312); Chinese Simplified (GB2312-80)) it will not continue its malicious routine.
Bacalid.A infinitely loops until it sees an Internet Connection. If no Internet connection is present it will not proceed to its malicious routine.
It checks for the following event to ensure that only one instance of itself is running in memory:
- WINXPGOD
Note - some instances check for:
- WINXPGOOD
Bacalid.A infects files with the following extensions:
- .DLL
- .EXE
It searches for all fixed drives starting from Z: to C:
It avoids infecting the following directories:
- C:\Program Files
- C:\Windows
It infects by appending 2 sections at the end of the file.
It also removes the DOS stub (This program cannot be run in DOS mode).
It also adds garbage code to itself to prevent easy detection.
Aside from searching for files, it also waits for the following API calls to trigger its infection:
- CreateFile
- GetFileAttributes
- LoadLibrary
It hooks the following APIs to hide the Dropped DLL component by returning "." instead of its original filename:
- FindFirstFile
- FindNextFile
Note: The code of this malware is very unstable, corrupting some instances of the infected files.