Select local site

| Japanese | Simplified Chinese | Traditional Chinese (Hong Kong) | Traditional Chinese (Taiwan)

F-Secure Virus Information Pages: Bacalid.A

[Summary] | [Disinfection] | [Detailed Description]

Name : Bacalid.A
Alias:Virus.Win32.Bacalid.a, W32/Bacalid, PE_VBAC.A, W32/Bacalid-A, W32/Bacalid.A
Type:Virus
Category:Virus
Platform:Win32
Date of Discovery:September 22, 2006
Radar

Summary
Bacalid.A is a polymorphic virus that infects .EXE and .DLL files. It uses some stealth mechanisms and obfuscation techniques to hide itself, therefore preventing easy detection. See the details section for more information.
Back to the Top

Disinfection

Automatic Disinfection

Usually viruses infecting boot and executable files are automatically disinfected by F-Secure Anti-Virus (FSAV). In some cases, when automatic disinfection is not possible due to file corruption or overwriting virus, a user can select disinfection action by him/herself to make FSAV rename or delete an infected file. In some special cases it is recommended to use specific disinfection tools provided by F-Secure. They can be downloaded from our web or ftp sites:

http://www.f-secure.com/download-purchase/tools.shtml

ftp://ftp.f-secure.com/anti-virus/tools/

F-Secure Anti-Virus can be purchased from our webshop or from our authorised distributors. A trial version F-Secure Anti-Virus, limited to 30 days, can be downloaded from our website:

http://www.f-secure.com/download-purchase/

All the latest versions of FSAV can download anti-virus database updates automatically. However, these updates can be also downloaded and installed manually from our web or ftp sites:

http://www.f-secure.com/download-purchase/updates.shtml

Manual Disinfection

It is not recommended to manually disinfect files and boot sectors from viruses as it can cause damage to a system and make it unbootable.

System Restore issue and file viruses

If Windows ME or XP is used, it is recommended to disable System Restore feature of these operating systems to prevent a computer from re-infection by an already removed malware. The fact is that System Restore feature of these operating systems might save an infected file into the special folder and copy it back to a hard drive it every time it's been renamed or deleted by F-Secure Anti-Virus or by a user. Instructions on how to disable System Restore feature are here:

Windows ME:

http://www.europe.f-secure.com/v-descs/sfc_dis.shtml

Windows XP:

http://www.europe.f-secure.com/v-descs/sfc_dis1.shtml

It is recommended to re-enable System Restore after disinfection in order to restore stable system configuration in the future, if any crash or incompatibility issue occurs.
Back to the Top

Detailed Description
Bacalid.A is a polymorphic file infector. Upon execution of an infected file it will drop the following DLL component into the temporary folder:

  • VCab.DLL

Note - some instances might drop:

  • VGod.DLL

It injects the DLL component primarily to EXPLORER.EXE, and also to other running processes.


Bacalid.A queries the Windows ANSI code page identifier for the system. If it is equal to 936 (Simplified Chinese (GB2312); Chinese Simplified (GB2312-80)) it will not continue its malicious routine.


Bacalid.A infinitely loops until it sees an Internet Connection. If no Internet connection is present it will not proceed to its malicious routine.


It checks for the following event to ensure that only one instance of itself is running in memory:

  • WINXPGOD

Note - some instances check for:

  • WINXPGOOD


Bacalid.A infects files with the following extensions:

  • .DLL
  • .EXE


It searches for all fixed drives starting from Z: to C:


It avoids infecting the following directories:

  • C:\Program Files
  • C:\Windows


It infects by appending 2 sections at the end of the file.


It also removes the DOS stub (This program cannot be run in DOS mode).


It also adds garbage code to itself to prevent easy detection.


Aside from searching for files, it also waits for the following API calls to trigger its infection:

  • CreateFile
  • GetFileAttributes
  • LoadLibrary


It hooks the following APIs to hide the Dropped DLL component by returning "." instead of its original filename:

  • FindFirstFile
  • FindNextFile


Note: The code of this malware is very unstable, corrupting some instances of the infected files.
Back to the Top



F-Secure Corporation

Last Modified: September 26, 2006