W32/Bacalid - a new polymorphic virus spreading in the wild
Monday September 11, 2006 at 10:47 am CST
Posted by Francois Paget
For about a week McAfee Avert Labs has received, from various sources, samples of a new polymorphic parasitic file infector that infects EXE and DLL files. This newcomer has stealth capabilities and attempts to download some variants of the PWS-Lineage trojan from compromised websites.
As it does not execute its payload when the current ANSI code page identifier for the system is set to 936 (ANSI/OEM - Simplified Chinese - PRC, Singapore), this malware probably comes from Southern or Southeastern Asia.
This virus is named W32/Bacalid. The size of infected files increases approximately by ~35 KB. When a sample is run, it searches for an event named WINXPGOD. If this event is not found on the system, it creates and executes a DLL file named “VCab.dll”. It is then injected into a random running process to ensure it stays resident. The corresponding file is saved in a temp folder.
During my investigations, I noted four different VCAB.DLL files with four different sizes :
- 32,256 bytes and 32,792 bytes when they are packed
- 44,032 bytes and 44,544 bytes if not packed
These files are detected as W32/Bacalib!vcab
The downloaded files have a .wos extension; they are encrypted and get decrypted by the virus.
This threat is interesting because in this period where we generally encounter non self-replicating programs, the appearance of a new complex virus can often cause a stir. As it is an appender and because it erases the DOS Stub of any infected host file, detection is not a real problem. But for cleaning to succeed, the virus body must be decrypted.
Three levels of decryption must be processed and some enhanced anti-emulator codes are inserted to prevent an easy restitution of the original virus code. Polymorphic sequences of commands with variable constants and randomly chosen assembler instruction for this malware are particularly sophisticated. For now we detect 2 variants, they are very similar and just differ with their encryption at the first layer.
Today, computer users must be vigilant. One link hosting the PWS-Lineage is still alive and we continue to receive samples from the wild. Avert Labs has had our teams working at full speed to create a specific removal tool for this threat (stinger utility). For updated removal instructions, a copy of this tool and further information on this threat, please go to W32/Bacalid.
March 30th, 2007 at 1:56 am
mon pc es attacqué par les virus appellé bacalib tous mes fichiers et document sont atteind comment s’endebaracé
merci de votre bonne comperhension
June 30th, 2007 at 5:31 am
Il faut utiliser un antivirus récent et efficace. J’utilise actuellement: Symantec Antivirus Corporate edition 10 et régulièrement mis à jour. Il s’est avéré bien efficace à ce jour sur W32BACALIB.
J’ai cependant l’impression que de nouvelles version de ce virus apparaissent. Fais gaffe, sinon tu ne pourras plus travailler sur ta machine.
Bonne chance TSALA!
July 1st, 2007 at 2:14 am
i have just been infected with this virus and it literally hijacked each and every exe and dll file in my hard drive.