Bacalid.A

Classification

Malware

Virus

W32

Bacalid.A, Bacalid.A

Summary

Bacalid.A is a polymorphic virus that infects .EXE and .DLL files. It uses some stealth mechanisms and obfuscation techniques to hide itself, therefore preventing easy detection. See the details section for more information.

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

For more Support

Community

Find the latest advice in our Community.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Bacalid.A is a polymorphic file infector. Upon execution of an infected file it will drop the following DLL component into the temporary folder:

  • VCab.DLL

Note - some instances might drop:

  • VGod.DLL

It injects the DLL component primarily to EXPLORER.EXE, and also to other running processes. Bacalid.A queries the Windows ANSI code page identifier for the system. If it is equal to 936 (Simplified Chinese (GB2312); Chinese Simplified (GB2312-80)) it will not continue its malicious routine. Bacalid.A infinitely loops until it sees an Internet Connection. If no Internet connection is present it will not proceed to its malicious routine. It checks for the following event to ensure that only one instance of itself is running in memory:

  • WINXPGOD

Note - some instances check for:

  • WINXPGOOD

Bacalid.A infects files with the following extensions:

  • .DLL
  • .EXE

It searches for all fixed drives starting from Z: to C: It avoids infecting the following directories:

  • C:\Program Files
  • C:\Windows

It infects by appending 2 sections at the end of the file. It also removes the DOS stub (This program cannot be run in DOS mode). It also adds garbage code to itself to prevent easy detection. Aside from searching for files, it also waits for the following API calls to trigger its infection:

  • CreateFile
  • GetFileAttributes
  • LoadLibrary

It hooks the following APIs to hide the Dropped DLL component by returning "." instead of its original filename:

  • FindFirstFile
  • FindNextFile

Note: The code of this malware is very unstable, corrupting some instances of the infected files.