Feeds & Podcasts
Blogs
- Consumer (478)
- Corporate (155)
- Enterprise (466)
- McAfee Labs (1126)
Meet the Bloggers
- Abhishek Karnik
- Adam Pridgen
- Adam Wosotowsky
- Aditya Kapoor
- Ahmed Sallam
- Alex Hinchliffe
- Allysa Myers
- Anil Ramabhatta
- Anindita Mishra
- Anna Stepanov
- Apurv Anand
- Arun Pradeep
- Arun Sabapathy
- Avelino Rico Jr
- Ben Edelman
- Bhaskar Krishna
- Bing Sun
- Brad Antoniewicz
- Brant Yaeger
- Brenda Moretto
- Brian Kenyon
- Brian Mann
- Carlos Castillo
- Cedric Cochin
- Chen Yu
- Chintan Shah
- Chris Barton
- Craig Schmugar
- Cyber Mum Australia
- Dan Sommer
- Dave Klenske
- David Marcus
- David Rayhawk
- David Scharoun
- Dennis Elser
- Denys Ma
- Di Tian
- Dirk Kollberg
- Dmitry Gryaznov
- Dr. Phyllis Schneck
- DThakkar
- Editor
- Elodie Grandjean
- Eric Peterson
- Eric Schou
- Federico Barbieri
- Felix Martinez
- Francie Coulter
- Francisca Moreno
- Francois Paget
- Gabriel Acevedo
- Gaith Taha
- Gary Davis
- Gavin Struthers
- Geok Meng Ong
- Georg Wicherski
- George Kurtz
- Gert Jan Schenk
- Girish Pillai
- Guilherme Venere
- Haowei Ren
- Harish Garg
- Hiep Dang
- HongZheng Zhou
- Igor Muttik
- James Duldulao
- James Galpin
- Jan Volzke
- Jeremy Gilliat
- Jim Walter
- Jimmy Kuo
- Jimmy Shah
- Joe Telafici
- Joel Spurlock
- Joey Koo
- John Dasher
- Jon Paterson
- Jonathan Zdziarski
- Juan Bocanegra
- Karthik Raman
- Kevin Beets
- Kevin McGhee
- Kevin Watkins
- Kim Eichorn
- Lang Tibbils
- Latha Ramasamy
- Lianne Caetano
- Lokesh Kumar
- Madhurima Pawar
- Marc Olesen
- Marius van Oers
- Mark Olea
- Matthew Wollenweber
- Meirgen Krehs
- MFEChannelChief
- Micha Pekrul
- MihwaLee
- Mike Price
- Mohinder Gill
- Monty Ijzerman
- Nandi Kishore
- Navtej Singh
- Neha Joshi
- Nick Kelly
- Nikfar Khaleeli
- Nishad Herath
- Nitin Jyoti
- Nitin Kumar
- Oliver Devane
- PageOne Pr
- Paolo Palumbo
- Paras Gupta
- Patrick Comiotto
- Patrick Knight
- Paula Greve
- Pedro Bueno
- Peter Meyer
- Peter Szor
- Pradeep Govindaraju
- Prajwala Rao
- Prashanth PR
- Rachit Mathur
- Rafal Wojtczuk
- Rahul Kashyap
- Rahul Mohandas
- Raj Samani
- Ravi Balupari
- Rizwan Husain
- Robert Ross
- Robert Siciliano
- Rodney Andres
- Romain Levy
- Rusty Carter
- Ryan Permeh
- Sam Masiello
- Schalk Cronjé
- Seth Purdy
- Shane Keats
- Shannon Cole
- Sharath Veerabhadraswamy
- Shinsuke Honjo
- Simon Cooper
- Simon Hunt
- Stephen Karkula
- Stina Wikstrom
- Stuart McClure
- Sudarshan Swamy
- Swapnil Pathak
- Tad Heppner
- Ted Rooney
- Tim Fulkerson
- Todd Gebhart
- Toralv Dirro
- Tracy Mooney
- Tracy Ross
- Ugur Sahsi
- Umesh Wanve
- Varadharajan Krishnasamy
- Vinay Mahadik
- Vinoo Thomas
- Vitaly Zaytsev
- Vivek Chudgar
- Vu Nguyen
- Wei Wang
- Xiao Chen
- Xing Su
- Yang Zhang
- Yichong Lin
- Zhedong Chen
- Zhu Cheng
Archive
- February 2012 (18)
- January 2012 (47)
- 2011 (482)
- 2010 (431)
- 2009 (395)
- 2008 (294)
- 2007 (416)
- 2006 (169)
Tags
#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity
W32/Bacalid – a new polymorphic virus spreading in the wild
|
|
For about a week McAfee Avert Labs has received, from various sources, samples of a new polymorphic parasitic file infector that infects EXE and DLL files. This newcomer has stealth capabilities and attempts to download some variants of the PWS-Lineage trojan from compromised websites.
As it does not execute its payload when the current ANSI code page identifier for the system is set to 936 (ANSI/OEM – Simplified Chinese – PRC, Singapore), this malware probably comes from Southern or Southeastern Asia.
This virus is named W32/Bacalid. The size of infected files increases approximately by ~35 KB. When a sample is run, it searches for an event named WINXPGOD. If this event is not found on the system, it creates and executes a DLL file named “VCab.dll”. It is then injected into a random running process to ensure it stays resident. The corresponding file is saved in a temp folder.
During my investigations, I noted four different VCAB.DLL files with four different sizes :
- 32,256 bytes and 32,792 bytes when they are packed
- 44,032 bytes and 44,544 bytes if not packed
These files are detected as W32/Bacalib!vcab
The downloaded files have a .wos extension; they are encrypted and get decrypted by the virus.
This threat is interesting because in this period where we generally encounter non self-replicating programs, the appearance of a new complex virus can often cause a stir. As it is an appender and because it erases the DOS Stub of any infected host file, detection is not a real problem. But for cleaning to succeed, the virus body must be decrypted.
Three levels of decryption must be processed and some enhanced anti-emulator codes are inserted to prevent an easy restitution of the original virus code. Polymorphic sequences of commands with variable constants and randomly chosen assembler instruction for this malware are particularly sophisticated. For now we detect 2 variants, they are very similar and just differ with their encryption at the first layer.
Today, computer users must be vigilant. One link hosting the PWS-Lineage is still alive and we continue to receive samples from the wild. Avert Labs has had our teams working at full speed to create a specific removal tool for this threat (stinger utility). For updated removal instructions, a copy of this tool and further information on this threat, please go to W32/Bacalid.
|
|
Comments (3)
i have just been infected with this virus and it literally hijacked each and every exe and dll file in my hard drive. 
Il faut utiliser un antivirus récent et efficace. J’utilise actuellement: Symantec Antivirus Corporate edition 10 et régulièrement mis à jour. Il s’est avéré bien efficace à ce jour sur W32BACALIB.
J’ai cependant l’impression que de nouvelles version de ce virus apparaissent. Fais gaffe, sinon tu ne pourras plus travailler sur ta machine.
Bonne chance TSALA!
mon pc es attacqué par les virus appellé bacalib tous mes fichiers et document sont atteind comment s’endebaracé
merci de votre bonne comperhension
Submit your own comments / message for this post