Home / malware Trojan:Win32/Balisdat.gen!G
First posted on 18 December 2012.
Source: MicrosoftAliases :
Trojan:Win32/Balisdat.gen!G is also known as Win32/TrojanDownloader.Banload.RPO (ESET), Troj/Bckdr-RNK (Sophos), Trojan.PWS.Gamania.38632 (Dr.Web), Trojan.Win32.Scar.grec (Kaspersky).
Explanation :
Installation
Trojan:Win32/Balisdat.gen!G may arrive on your computer as a ZIP file attached to a spam email. File names used by the ZIP file are designed to lure you into opening the file and extracting the files inside. We have observed the following names:
- Album.jpg.zip
- Album.zip
- anexo.zip
- Candidato_Comedia<number>.zip
- Candidato_Comedia.zip
- Comedia<number>.zip
- comedia.zip
- Desastre_Ambulante.zip
- entret_virtual.exe.zip
- Fotos<number>.zip
- Fotos.jpg.zip
- Fotos_intimas.zip
- Fotos-vc.zip
- Kama_Sutra_Paraguaia<number>.zip
- Kama_Sutra_Paraguaia.zip
- Kama-Sutra Nordestino.zip
- KamaSutra_KKKK.zip
- KamaSutra-18anos<number>.zip
- Kama-Sutra18anos<number>.zip
- KamaSutra-18anos_Install.zip
- KamaSutra18AnosBLK.zip
- Kama-Sutra-18Anos-BLK.zip
- KamaSutra18AnosBlock.zip
- KamaSutraCearense.zip
- KamaSutra-Cearense.zip
- KamaSutraNORDESTINO.zip
- Kama-sutra-nordestino.zip
- KamaSutra-Novinhas290759.zip
- Minha-fotos-intimas.zip
- Minhas-fotos.zip
- nossa_festinha.zip
- Pura-comedia.zip
- ReCargaCel_Gratis<number>.zip
- ReCargaCel_Gratis.zip
- RecargaSoft_Cel<number>.zip
where <number> is a random number.
The ZIP file contains an executable file which is also detected as Trojan:Win32/Balisdat.gen!G.
We have observed the executable files with the following names:
- aixador_antigo.exe
- Album.exe
- Album.jpg.exe
- baixador antigo.exe
- Candidato_Comedia.avi.exe
- comedia.exe
- Desastre_Ambulante.avi.exe
- Desastre_Ambulante.exe
- Desbloquea-foto.jpg.exe
- Desbloqueia-Maior-18.exe
- Desbloqueia-Maior-de-18.exe
- DriverUpdate.exe
- entret_virtual.exe.exe
- Festinha_do_fds.avi.exe
- fotos.exe
- Fotos.jpg.exe
- Fotos_intimas.exe
- Fotos_intimas.jpg.exe
- Fotos_vc.exe
- Fotos-vc.exe
- Kama_Sutra_Cearence_Install.exe
- Kama_Sutra_Paraguaia.exe
- KamaSutra_18anos_Install.exe
- KamaSutra-18anos_Install.exe
- KamaSutra18AnosBLK.exe
- Kama-Sutra-18Anos-BLK.exe
- KamaSutra-18AnosBloc.exe
- KamaSutra18AnosBlock.exe
- KamaSutra-18Anos-Block.exe
- KamaSutra-18anos-Install.exe
- Kama-Sutra-Cearence-Install.exe
- KamaSutraCearense.exe
- KamaSutra-Cearense.exe
- Kama-sutra-nordestino.exe
- kama-sutra-paraguaia.exe
- Minha-fotos-intimas.exe
- Minhas-fotos.exe
- Pasta_Desbloqueada.exe
- Pura-comedia.exe
- RecargaSoft_Cel.exe
- taskmb.exe
The files may use icons that are similar to standard folder icons. It is likely that the use of folder icons is another attempt to lure you into running the file.
We have observed the following icons:
When run, Trojan:Win32/Balisdat.gen!G drops a copy of itself in the "%windir%\media" or "%Public%\Favorites" folder with one of the following file names:
- audiodg.exe
- avassv.exe
- avasui.exe
- dllhost.exe
- driverupdate.exe
- flashupdate.exe
- frameworkup.exe
- gchormeupdate.exe
- rundll32.exe
- spoolsv.exe
- svhost.exe
- taskmb.exe
- wicomm.exe
- winlon.exe
- wlconm.exe
Note: %windir% refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Windows folder for Windows 2000 and NT is "C:\WinNT"; and for XP, Vista, 7, and 8 it is "C:\Windows".
Note: %Public% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Public folder for Windows 2000, XP, 2003, Vista, 7, and 8 is "C:\Users\Public".
The trojan also creates a file with the name "rest" in the "%windir%\media" folder. This file contains the date when the trojan was run on your computer.
Trojan:Win32/Balisdat.gen!G modifies the following registry entries to ensure that its copy runs at each Windows start:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "taskhost"
With data: "%windir%\media\<malware file name>"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Netlogon"
With data: "%windir%\media\<malware file name>"
After you have run the file, the trojan displays one of the following messages to make it appear as if the file did not install or run correctly, and to hide its malicious actions:
The message translates from Portuguese as "Incompatible version".
The message translates from Portuguese as "Incompatible version The program will exit!".
The message translates from Portuguese as "Incompatible versions! Windows does not allow 'x82-64bit-32 bits'. The program will exit!".
Payload
Deletes or moves security-related folders
Trojan:Win32/Balisdat.gen!G attempts to delete or move any of the following subfolders to a different location, so as to prevent certain security-related applications from functioning correctly:
- ALWILS~1\
- AntiVir PersonalEdition Classic\
- AntiVir\
- Arquivos comuns\Panda Security\
- Arquivos comuns\Symantec Shared\
- AVASTS~1\
- AVG\
- Avira\
- ClamWin\
- COMODO\
- ESET\
- Grisoft\
- Kaspersky Lab\
- McAfee\
- Microsoft Security Essentials\
- Norton AntiVirus\
- NortonInstaller\
- Panda Security\
- Panda Software\
- Rising\
- Scpad\
The trojan searches for the subfolders in any of the following folders:
- C:\Arquivos de programas
- C:\Arquivos de Programas (x86)\
- C:\Program Files (x86)\
- C:\Program Files\
- D:\Arquivos de Programas (x86)\
- D:\Arquivos de programas\
- D:\Program Files (x86)\
- D:\Program Files\
Terminates process
Trojan:Win32/Balisdat.gen!G terminates the following security-related processes by using the "taskkill" command
- AvastSvc.exe
- AvastUI.exe
Deletes registry entries
Trojan:Win32/Balisdat.gen!G deletes several registry entries related to avast! antivirus software, preventing the software from functioning correctly.
Modifies system security settings
Some variants of Trojan:Win32/Balisdat.gen!G disable the Least Privileged User Account (LUA) setting, which leads to a lowering of your computer's security. It disables the LUA by making the following registry modification:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "dword:00000000"
Some variants of Trojan:Win32/Balisdat.gen!G disable the User Account Control (UAC) prompt. Although the UAC prompt no longer appears, the Windows Security Center might warn you that UAC is turned off.
The trojan disables the UAC prompt by modifying the following registry entry:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "ConsentPromptBehaviorAdmin"
With data: "0"
Downloads arbitrary files
Trojan:Win32/Balisdat.gen!G may download possibly malicious files from certain servers. In the wild, we have observed the trojan attempting to connect to the following servers:
- alfacentauria.com
- alfacentaurib.com
- febredoouro.com
- garimpeiro2012.com
- kteto2012.com
- quironred.com
- tudoporouro.com
The file is downloaded to either "%windir%\media" or "%Public%\Favorites" and may have one of the following file names:
Note: At the time of analysis, the servers were no longer accessible; therefore we are unable to confirm the nature of the files that are downloaded.Additional information
- BoxFile.bcc
- bts
- k32
- Kernel32bits
- libeay
- ssleay
The messages originally appear in Portuguese, as follows:
Versão incompatÃvel
Versão incompatÃvel
O Programa será fechado!
Incompatibilidade de versoes!
Windows não permite "x82-64bit-32bits".
O Programa será fechado!
Related encyclopedia entries
Win32/Bancos
Win32/Banker
Analysis by Ric Robielos
Last update 18 December 2012