|
|
|  |
|
|
|
|
F-Secure Virus Information Pages: Bacalid.A
|
|
|
| Radar |
 |
|
|
|
Summary
|
| Bacalid.A is a polymorphic virus that infects .EXE and .DLL files. It uses some stealth mechanisms and obfuscation techniques to hide itself, therefore preventing easy detection. See the details section for more information. |
|
|
|
Disinfection
|
Automatic Disinfection
Usually viruses infecting boot and executable files are automatically disinfected by F-Secure Anti-Virus (FSAV). In some cases, when automatic disinfection is not possible due to file corruption or overwriting virus, a user can select disinfection action by him/herself to make FSAV rename or delete an infected file. In some special cases it is recommended to use specific disinfection tools provided by F-Secure. They can be downloaded from our web or ftp sites:
http://www.f-secure.com/download-purchase/tools.shtml
ftp://ftp.f-secure.com/anti-virus/tools/
F-Secure Anti-Virus can be purchased from our webshop or from our authorised distributors. A trial version F-Secure Anti-Virus, limited to 30 days, can be downloaded from our website:
http://www.f-secure.com/download-purchase/
All the latest versions of FSAV can download anti-virus database updates automatically. However, these updates can be also downloaded and installed manually from our web or ftp sites:
http://www.f-secure.com/download-purchase/updates.shtml
Manual Disinfection
It is not recommended to manually disinfect files and boot sectors from viruses as it can cause damage to a system and make it unbootable.
System Restore issue and file viruses
If Windows ME or XP is used, it is recommended to disable System Restore feature of these operating systems to prevent a computer from re-infection by an already removed malware. The fact is that System Restore feature of these operating systems might save an infected file into the special folder and copy it back to a hard drive it every time it's been renamed or deleted by F-Secure Anti-Virus or by a user. Instructions on how to disable System Restore feature are here:
Windows ME:
http://www.europe.f-secure.com/v-descs/sfc_dis.shtml
Windows XP:
http://www.europe.f-secure.com/v-descs/sfc_dis1.shtml
It is recommended to re-enable System Restore after disinfection in order to restore stable system configuration in the future, if any crash or incompatibility issue occurs. |
|
|
|
Detailed Description
|
Bacalid.A is a polymorphic file infector. Upon execution of an infected file it will drop the following DLL component into the temporary folder:
Note - some instances might drop:
It injects the DLL component primarily to EXPLORER.EXE, and also to other running processes.
Bacalid.A queries the Windows ANSI code page identifier for the system. If it is equal to 936 (Simplified Chinese (GB2312); Chinese Simplified (GB2312-80)) it will not continue its malicious routine.
Bacalid.A infinitely loops until it sees an Internet Connection. If no Internet connection is present it will not proceed to its malicious routine.
It checks for the following event to ensure that only one instance of itself is running in memory:
Note - some instances check for:
Bacalid.A infects files with the following extensions:
It searches for all fixed drives starting from Z: to C:
It avoids infecting the following directories:
- C:\Program Files
- C:\Windows
It infects by appending 2 sections at the end of the file.
It also removes the DOS stub (This program cannot be run in DOS mode).
It also adds garbage code to itself to prevent easy detection.
Aside from searching for files, it also waits for the following API calls to trigger its infection:
- CreateFile
- GetFileAttributes
- LoadLibrary
It hooks the following APIs to hide the Dropped DLL component by returning "." instead of its original filename:
- FindFirstFile
- FindNextFile
Note: The code of this malware is very unstable, corrupting some instances of the infected files. |
|
|
|
F-Secure Corporation |
|
|
|
|
|
Last Modified: September 26, 2006
|
|
|
|
|
