Home / malwarePDF  

Trojan:Win32/Balisdat.gen!G


First posted on 18 December 2012.
Source: Microsoft

Aliases :

Trojan:Win32/Balisdat.gen!G is also known as Win32/TrojanDownloader.Banload.RPO (ESET), Troj/Bckdr-RNK (Sophos), Trojan.PWS.Gamania.38632 (Dr.Web), Trojan.Win32.Scar.grec (Kaspersky).

Explanation :



Installation

Trojan:Win32/Balisdat.gen!G may arrive on your computer as a ZIP file attached to a spam email. File names used by the ZIP file are designed to lure you into opening the file and extracting the files inside. We have observed the following names:

  • Album.jpg.zip
  • Album.zip
  • anexo.zip
  • Candidato_Comedia<number>.zip
  • Candidato_Comedia.zip
  • Comedia<number>.zip
  • comedia.zip
  • Desastre_Ambulante.zip
  • entret_virtual.exe.zip
  • Fotos<number>.zip
  • Fotos.jpg.zip
  • Fotos_intimas.zip
  • Fotos-vc.zip
  • Kama_Sutra_Paraguaia<number>.zip
  • Kama_Sutra_Paraguaia.zip
  • Kama-Sutra Nordestino.zip
  • KamaSutra_KKKK.zip
  • KamaSutra-18anos<number>.zip
  • Kama-Sutra18anos<number>.zip
  • KamaSutra-18anos_Install.zip
  • KamaSutra18AnosBLK.zip
  • Kama-Sutra-18Anos-BLK.zip
  • KamaSutra18AnosBlock.zip
  • KamaSutraCearense.zip
  • KamaSutra-Cearense.zip
  • KamaSutraNORDESTINO.zip
  • Kama-sutra-nordestino.zip
  • KamaSutra-Novinhas290759.zip
  • Minha-fotos-intimas.zip
  • Minhas-fotos.zip
  • nossa_festinha.zip
  • Pura-comedia.zip
  • ReCargaCel_Gratis<number>.zip
  • ReCargaCel_Gratis.zip
  • RecargaSoft_Cel<number>.zip


where <number> is a random number.

The ZIP file contains an executable file which is also detected as Trojan:Win32/Balisdat.gen!G.

We have observed the executable files with the following names:

  • aixador_antigo.exe
  • Album.exe
  • Album.jpg.exe
  • baixador antigo.exe
  • Candidato_Comedia.avi.exe
  • comedia.exe
  • Desastre_Ambulante.avi.exe
  • Desastre_Ambulante.exe
  • Desbloquea-foto.jpg.exe
  • Desbloqueia-Maior-18.exe
  • Desbloqueia-Maior-de-18.exe
  • DriverUpdate.exe
  • entret_virtual.exe.exe
  • Festinha_do_fds.avi.exe
  • fotos.exe
  • Fotos.jpg.exe
  • Fotos_intimas.exe
  • Fotos_intimas.jpg.exe
  • Fotos_vc.exe
  • Fotos-vc.exe
  • Kama_Sutra_Cearence_Install.exe
  • Kama_Sutra_Paraguaia.exe
  • KamaSutra_18anos_Install.exe
  • KamaSutra-18anos_Install.exe
  • KamaSutra18AnosBLK.exe
  • Kama-Sutra-18Anos-BLK.exe
  • KamaSutra-18AnosBloc.exe
  • KamaSutra18AnosBlock.exe
  • KamaSutra-18Anos-Block.exe
  • KamaSutra-18anos-Install.exe
  • Kama-Sutra-Cearence-Install.exe
  • KamaSutraCearense.exe
  • KamaSutra-Cearense.exe
  • Kama-sutra-nordestino.exe
  • kama-sutra-paraguaia.exe
  • Minha-fotos-intimas.exe
  • Minhas-fotos.exe
  • Pasta_Desbloqueada.exe
  • Pura-comedia.exe
  • RecargaSoft_Cel.exe
  • taskmb.exe


The files may use icons that are similar to standard folder icons. It is likely that the use of folder icons is another attempt to lure you into running the file.

We have observed the following icons:



When run, Trojan:Win32/Balisdat.gen!G drops a copy of itself in the "%windir%\media" or "%Public%\Favorites" folder with one of the following file names:

  • audiodg.exe
  • avassv.exe
  • avasui.exe
  • dllhost.exe
  • driverupdate.exe
  • flashupdate.exe
  • frameworkup.exe
  • gchormeupdate.exe
  • rundll32.exe
  • spoolsv.exe
  • svhost.exe
  • taskmb.exe
  • wicomm.exe
  • winlon.exe
  • wlconm.exe


Note: %windir% refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Windows folder for Windows 2000 and NT is "C:\WinNT"; and for XP, Vista, 7, and 8 it is "C:\Windows".

Note: %Public% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Public folder for Windows 2000, XP, 2003, Vista, 7, and 8 is "C:\Users\Public".

The trojan also creates a file with the name "rest" in the "%windir%\media" folder. This file contains the date when the trojan was run on your computer.

Trojan:Win32/Balisdat.gen!G modifies the following registry entries to ensure that its copy runs at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "taskhost"
With data: "%windir%\media\<malware file name>"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Netlogon"
With data: "%windir%\media\<malware file name>"

After you have run the file, the trojan displays one of the following messages to make it appear as if the file did not install or run correctly, and to hide its malicious actions:



The message translates from Portuguese as "Incompatible version".



The message translates from Portuguese as "Incompatible version The program will exit!".



The message translates from Portuguese as "Incompatible versions! Windows does not allow 'x82-64bit-32 bits'. The program will exit!".



Payload

Deletes or moves security-related folders

Trojan:Win32/Balisdat.gen!G attempts to delete or move any of the following subfolders to a different location, so as to prevent certain security-related applications from functioning correctly:

  • ALWILS~1\
  • AntiVir PersonalEdition Classic\
  • AntiVir\
  • Arquivos comuns\Panda Security\
  • Arquivos comuns\Symantec Shared\
  • AVASTS~1\
  • AVG\
  • Avira\
  • ClamWin\
  • COMODO\
  • ESET\
  • Grisoft\
  • Kaspersky Lab\
  • McAfee\
  • Microsoft Security Essentials\
  • Norton AntiVirus\
  • NortonInstaller\
  • Panda Security\
  • Panda Software\
  • Rising\
  • Scpad\


The trojan searches for the subfolders in any of the following folders:

  • C:\Arquivos de programas
  • C:\Arquivos de Programas (x86)\
  • C:\Program Files (x86)\
  • C:\Program Files\
  • D:\Arquivos de Programas (x86)\
  • D:\Arquivos de programas\
  • D:\Program Files (x86)\
  • D:\Program Files\


Terminates process

Trojan:Win32/Balisdat.gen!G terminates the following security-related processes by using the "taskkill" command

  • AvastSvc.exe
  • AvastUI.exe


Deletes registry entries

Trojan:Win32/Balisdat.gen!G deletes several registry entries related to avast! antivirus software, preventing the software from functioning correctly.

Modifies system security settings

Some variants of Trojan:Win32/Balisdat.gen!G disable the Least Privileged User Account (LUA) setting, which leads to a lowering of your computer's security. It disables the LUA by making the following registry modification:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "dword:00000000"

Some variants of Trojan:Win32/Balisdat.gen!G disable the User Account Control (UAC) prompt. Although the UAC prompt no longer appears, the Windows Security Center might warn you that UAC is turned off.

The trojan disables the UAC prompt by modifying the following registry entry:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "ConsentPromptBehaviorAdmin"
With data: "0"

Downloads arbitrary files

Trojan:Win32/Balisdat.gen!G may download possibly malicious files from certain servers. In the wild, we have observed the trojan attempting to connect to the following servers:

  • alfacentauria.com
  • alfacentaurib.com
  • febredoouro.com
  • garimpeiro2012.com
  • kteto2012.com
  • quironred.com
  • tudoporouro.com


The file is downloaded to either "%windir%\media" or "%Public%\Favorites" and may have one of the following file names:

  • BoxFile.bcc
  • bts
  • k32
  • Kernel32bits
  • libeay
  • ssleay
Note: At the time of analysis, the servers were no longer accessible; therefore we are unable to confirm the nature of the files that are downloaded.Additional information

The messages originally appear in Portuguese, as follows:

Versão incompatível

Versão incompatível
O Programa será fechado!

Incompatibilidade de versoes!
Windows não permite "x82-64bit-32bits".
O Programa será fechado!

Related encyclopedia entries

Win32/Bancos

Win32/Banker



Analysis by Ric Robielos

Last update 18 December 2012

 

TOP

Malware :

Family: