Home / malware

PDF

Trojan:MSIL/Balamid.A

First posted on 29 March 2014.
Source: Microsoft

Aliases :

There are no other names known for Trojan:MSIL/Balamid.A.

Explanation :

Threat behavior

Installation

Trojan:MSIL/Balamid.A is downloaded and installed by TrojanDownloader:MSIL/Balamid.A to %ProgramData%\system.exe.

Payload

Changes the home page of your Internet browser

Trojan:MSIL/Balamid.A can change the home page of the following browsers:

• Chrome
• Firefox
• Internet Explorer

We have seen it replace the existing home page with www.arasak.com.

To do this the threat downloads a file from a remote server which contains the URL that will be set as the homepage of several Internet browsers.

It then makes the following modifications:

• Modifies the registry entry "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page" to the new malicious URL, for example http://www.arasak.com (Internet Explorer)
• Modifies the "browser.startup.homepage" value in prefs.js to the new malicious URL, for example http://www.arasak.com (Firefox)
• Modifies the "startup_urls" and "homepage" values of the Chrome Preferences file to the new malicious URL, for example http://www.arasak.com (Chrome)

We have seen it connect to the following servers to download the homepage URL:

• www.wintask64.com
• www.wintask32.com

Analysis by Zhitao Zhou

Symptoms

The following could indicate that you have this threat on your PC:

• You have these files:
  
  %ProgramData%\lsm.exe
  %ProgramData%\system.exe

Last update 29 March 2014

 

TOP