Home / malwarePDF  

Trojan:Win32/Balisdat.gen!F


First posted on 13 November 2012.
Source: Microsoft

Aliases :

Trojan:Win32/Balisdat.gen!F is also known as TR/Balisdat.F.1 (Avira), Trojan.Win32.Balisdat (Ikarus).

Explanation :



Trojan:Win32/Balisdat.gen!F is a trojan that installs other malware, including Win32/Bancos (a trojan that steals online banking details) and Trojan:Win32/Lerkoods.A (a component of the Win32/Bancos trojan). It uses social engineering tactics, in the form of enticing file names, to encourage you to open or run the trojan.



Installation

In the wild, we have observed Trojan:Win32/Balisdat.gen!F distributed with a large number of file names, such as the following:

  • album.jpg.exe
  • candidato_comedia.avi.exe
  • fotos.jpg.exe
  • Kama-Sutra-18Anos-BLK.exe
  • KamaSutra18AnosBlock.exe


Based on these sample file names, the trojan may be distributed via social engineering.

The enticing file names may encourage you to open or run the file which, when run, drops a copy of itself as "%windir%\Media\gchormeupdate.exe".

Note: %windir% refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Windows folder for Windows 2000 and NT is "C:\WinNT"; and for XP, Vista, 7, and 8 it is "C:\Windows".

Trojan:Win32/Balisdat.gen!F modifies the following registry entry to ensure that its copy runs at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "taskhost"
With data: "%windir%\media\gchormeupdate.exe"

In order to hide its installation, Trojan:Win32/Balisdat.gen!F may display a window with the message "Versão incompatível. O Programa será fechado!" (Portuguese for "Incompatible version. The program will exit!").



Payload

Downloads arbitrary files

Trojan:Win32/Balisdat.gen!F may download components of Win32/Bancos and Trojan:Win32/Lerkoods.A from certain servers, such as the following:

  • hxxp://www.002.tudoporouro.com/bts
  • hxxp://www.002.tudoporouro.com/k32


Contacts remote host

In the wild, we have observed Trojan:Win32/Balisdat.gen!F contacting the following remote host to download configuration files that contain additional download links:

  • hxxp://www.garimpeiro2012.com/BoxFile.bcc
Related encyclopedia entries

Win32/Bancos

Win32/Lerkoods.A



Analysis by Daniel Radu

Last update 13 November 2012

 

TOP

Malware :

Family: