Home / malwarePDF  

Trojan:Win32/Balisdat.gen!C


First posted on 29 November 2011.
Source: SecurityHome

Aliases :

There are no other names known for Trojan:Win32/Balisdat.gen!C.

Explanation :

Trojan:Win32/Balisdat.gen!C is a trojan that acts as a malicious component for Win32/Banker and Win32/Bancos variants. It can download other files or delete security-related files found in the affected computer.


Top

Trojan:Win32/Balisdat.gen!C is a trojan that acts as a malicious component for Win32/Banker and Win32/Bancos variants. It can download other files or delete security-related files found in the affected computer.



Installation

When executed, Trojan:Win32/Balisdat.gen!C may drop any of the following files:

  • BoxFile.bcc
  • DolbyAudio.exe
  • DolbyAudio3D.exe
  • DolbyAudioHD.exe
  • Kernel32bits.dll
  • bootstat.exe
  • csrss.exe


Note that a legitimate file also named "csrss.exe" exists by default in the Windows system folder.

These files may be dropped in any of the following folders:

  • %Public%\Favorites\
  • %windir%\Media\
  • D:\WINDOWS\Media\
  • <system folder>


except for "csrss.exe", which can only be dropped in %windir%\Media\ or D:\WINDOWS\Media\.

Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Windows system folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

Other samples of this malware are dropped in the root folder with a random file name. In the wild, some of these observed file names have been the following:

  • C:\gb_cnetproc.exe
  • C:\gbnb_zxcv.exe
  • C:\gbnb_zzcb.exe
  • C:\gbtr_sentra.exe
  • C:\gbtr_siltry.exe
  • C:\gbty_salty.exe
  • C:\gbutr_sec.exe
  • C:\powerpointview.exe
  • C:\proctraw.exe
  • C:\ramynysys.exe
  • C:\rawfriksys.exe
  • C:\rengasys.exe
  • C:\sysnetview32.exe
  • C:\syssayoview32.exe
  • C:\win_bulkatro.exe
  • C:\win_gbterzcuzi.exe
  • C:\win_gtermu.exe
  • C:\win_nulqaxro.exe
  • C:\win_nyltibits.exe
  • C:\winsizenet32.exe


Some variants of Trojan:Win32/Balisdat.gen!C are also bundled within a self-extracting ZIP or RAR archive containing a PowerPoint Show (.pps) file wit the name "vazb0620px.pps" or "PowerPointViewer.pps".

Trojan:Win32/Balisdat.gen!C variants may display any of the following message boxes upon execution:





They may then create the following registry entry to execute itself every time Windows starts:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<value>"
With data: "<malware path and file name>"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<value>"
With data: "<malware path and file name>"

where <value> is any of the following:

  • Dolby® Audio Digital
  • GBNB_ZXCV
  • GBNB_ZZCB
  • GBTR_SENTRA
  • GBTR_SILTRY
  • GBTY_SALTY
  • GBUTR_SEC
  • GB_CNETPROC
  • PowerPointView
  • ProctRaw
  • RamynySyS
  • RawFrikSys
  • RengaSyS
  • SysNetView32
  • SysSayoView32
  • WIN_BULKATRO
  • WIN_GTERMU
  • WIN_NULQAXRO
  • WIN_NYLTIBITS
  • WinSizeNet32
  • Win_GbterZcuzi
  • bootstat


In subkey: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
Sets value: "BootExecute"
With data: "autocheck autochk *<malware file name>"



Payload

Deletes or moves security-related folders

Trojan:Win32/Balisdat.gen!C attempts to delete or move any of the following subfolders into a different location. As a result, security-related applications may stop working.

  • AntiVir PersonalEdition Classic\
  • AntiVir\
  • Arquivos comuns\Panda Security\
  • Arquivos comuns\Symantec Shared\
  • Avira\
  • COMODO\
  • ClamWin\
  • Grisoft\
  • Kaspersky Lab\
  • McAfee\
  • Microsoft Security Essentials\
  • Norton AntiVirus\
  • NortonInstaller\
  • Panda Security\
  • Panda Software\
  • Rising\
  • Scpad\


It searches for these subfolders in any of the following folders:

  • C:\Arquivos de Programas (x86)\
  • C:\Arquivos de programas
  • C:\Program Files (x86)\
  • C:\Program Files\
  • D:\Arquivos de Programas (x86)\
  • D:\Arquivos de programas\
  • D:\Program Files (x86)\
  • D:\Program Files\


Disables Task Manager

Some variants of Trojan:Win32/Balisdat.gen!C may disable the Windows Task Manager by modifying the following registry entry:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System Sets value = "DisableTaskMgr"
With data: "dword:00000001"

Modifies system security settings

Some variants of Trojan:Win32/Balisdat.gen!C disable the Least Privileged User Account (LUA) setting, also known as the "administrator in Admin Approval Mode" user type, by making the following registry modification:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "dword:00000000"

Lowers security settings

Trojan:Win32/Balisdat.gen!C may create and execute a .REG file named "RUaC.reg" containing the following:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000002
"ConsentPromptBehaviorUser"=dword:00000001
"EnableInstallerDetection"=dword:00000001
"EnableLUA"=dword:00000000
"EnableSecureUIAPaths"=dword:00000001
"EnableVirtualization"=dword:00000001
"PromptOnSecureDesktop"=dword:00000001
"ValidateAdminCodeSignatures"=dword:00000000
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"FilterAdministratorToken"=dword:00000000
"EnableUIADesktopToggle"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard\ExceptionFormats]
"CF_TEXT"=dword:00000001
"CF_BITMAP"=dword:00000002
"CF_OEMTEXT"=dword:00000007
"CF_DIB"=dword:00000008
"CF_PALETTE"=dword:00000009
"CF_UNICODETEXT"=dword:0000000d
"CF_DIBV5"=dword:00000011

Shuts down the computer automatically

Trojan:Win32/Balisdat.gen!C attempts to shut down the affected computer by executing the command "shutdown -r -f -t 00"

Downloads arbitrary files

Trojan:Win32/Balisdat.gen!C may download other possibly malicious files from certain servers. In the wild, it has been known to connect to any of the following servers:

  • 201.<removed>37.231
  • alfa<removed>tauria.com
  • alfa<removed>taurib.com
  • baja<removed>va.com
  • base<removed>lientes.com.br
  • bras<removed>irocomorgulho.com
  • brav<removed>ntebrasileira.com
  • guet<removed>ralho.com.br
  • host<removed>ts.com
  • mysq<removed>eprotocolos.com.br
  • phpf<removed>dido.com
Additional information

Trojan:Win32/Balisdat.gen!C may create any of the following mutex names:

  • GBIEHLASMUMAITOCACHA2011
  • GBSTPROC2011
  • GBTPROMOC2011
  • GBTZEMONASLIES2011
  • GBULELASNURMONAS2011
  • GB_PROCESS_ZYX_2011
  • GB_PROCZE_GBAL_2011
  • GB_PROCZE_GHB_2011
  • SYSNET2011PRIV8
  • SYSSUN2011PROC
  • WINNOVA2010PRIV8
  • WINSEC2011PRIV8




Analysis by Ric Robielos

Last update 29 November 2011

 

TOP

Malware :

Family: