Home / malware Trojan:Win32/Balisdat.gen!D
First posted on 10 January 2012.
Source: MicrosoftAliases :
Trojan:Win32/Balisdat.gen!D is also known as TROJ_SPNR.07L111 (Trend Micro).
Explanation :
Trojan:Win32/Balisdat.gen!D is a trojan that usually arrives as an attachment to spammed email messages. It downloads other files to the affected computer.
Top
Trojan:Win32/Balisdat.gen!D is a trojan that usually arrives as an attachment to spammed email messages. It downloads other files to the affected computer.
In the wild, this trojan may download components for Win32/Bancos variants.
Installation
Trojan:Win32/Balisdat.gen!D may arrive contained within a self-extracting ZIP archive attached to spammed email messages. For example, "Kama-sutra-comedia.zip", which contains the file "Kama-sutra-comedia.exe", which is detected as Trojan:Win32/Balisdat.gen!D.
When run, Trojan:Win32/Balisdat.gen!D drop a copy of itself as "%windir%\Media\csrss.exe". Note that a legitimate file also named "csrss.exe" exists by default in the Windows System folder.
The malware modifies the following registry entry to ensure it executes at each Windows start:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "bootstat"
With data: "%windir%\media\csrss.exe"
Trojan:Win32/Balisdat.gen!D may display a window with the following message:
Payload
Downloads arbitrary files
Trojan:Win32/Balisdat.gen!D may download other possibly malicious components of Win32/Bancos variants from certain servers.
In the wild, it has been known to connect to the following server to download files:
001.al<removed>acentaurib.com
The trojan attempts to downloaded the files to "%windir%\media folder". At the time of this writing, the server is unavailable.
Analysis by Wei Li
Last update 10 January 2012
