McAfee > Theat Center > Virus Detail Page

Overview

W32/Bacalid is a polymorphic parasitic file infector that infects EXE and DLL files on local drives and mapped shares on an infected system when accessed via Windows Explorer. It has stealth capabilities and attempts to download a variant of the PWS-Lineage trojan from compromised websites.

Aliases

• PE_VBAC.A-O (Trend Micro)

• W32.Bacalid (Symantec)

• Win32.Bacalid.A (BitDefender)

Characteristics

-- Update September 14, 2006 --
A new version of Stinger has been released to detect and remove all known variant of W32/Bacalid to date:

Download stinger-bacalid.zip (contains stinger.com MD5: 0955c96cc5d1c57cfd42520ce298fbcc)
--

-- Update September 11, 2006 --
McAfee Avert Labs has released a version of Stinger to detect and remove W32/Bacalid.a and W32/Bacalid.b  These 2 variants are detected with released DAT files as W32/Bacalid, but repair requires Stinger.
--

W32/Bacalid is a polymorphic parasitic file infector that infects EXE and DLL files on local drives and mapped shares on an infected system when accessed via Windows Explorer. It has stealth capabilities and attempts to download a variant of the PWS-Lineage trojan from compromised websites.

Upon execution, it drops the following file in the temp folder:

• %UserProfile%\Local Settings\Temp\VCab.dll

Checks the current ANSI code page identifier for the system, and if set to 936 ANSI/OEM - Simplified Chinese (PRC, Singapore) the virus does not executes it payload.

Injects its dll routine "VCab.dll" into every running processes by using the following Windows API.

• SetWindowsHookEx

Creates the following event object so that only one instance of virus is running on an infected machine.

• WINXPGOD

Attempts to hide the presence of its dll component "VCab.dll" on an infected system to avoid detection.

Symptoms

Downloader Component:

Connects to the following websites to download a variant of the PWS-Lineage trojan.

• http://clubio.com/[Removed]/Game1.wos
• http://gallup.co.kr/[Removed]/Game1.wos
• http://200.61.224.41/[Removed]/game1.wos
• http://www.darcania.com/[Removed]/Game1.wos

Method of Infection

W32/Bacalid infects EXE and DLL files on local drives and mapped shares on an infected system when accessed via Windows Explorer.

• It erases the DOS Stub of an infected host file. 
• Size of infected files increase approximately by ~35 KB.

Note: Due to a bug in the viral code, the infected files may not execute after infection.

Removal

Removal requires the Bacalid Stinger tool.  This stinger will clean all known variants of Bacalid to date. 

NOTE: Bacalid is known to misinfect, and subsequently corrupt, executable files from time to time.  These corrupted files will not be restored with Stinger and must be restored from backup.

McAfee Virus Scan Enterprise 8.0i (VSE 8.0i) can be used to block the main component of the virus from infecting other files and systems.  This can be achieved by creating a rule to prevent the file %temp%\vcab.dll from being created.

1. Click Start -> Programs -> Network Associates -> VirusScan Console
2. Double-Click Access Protection
3. Click the middle "File, Share, and Folder Protection tab
4. Enter the information provided in the screen shot below

Variants

Variants

N/A

All Information

Overview -

W32/Bacalid is a polymorphic parasitic file infector that infects EXE and DLL files on local drives and mapped shares on an infected system when accessed via Windows Explorer. It has stealth capabilities and attempts to download a variant of the PWS-Lineage trojan from compromised websites.

Aliases

• PE_VBAC.A-O (Trend Micro)

• W32.Bacalid (Symantec)

• Win32.Bacalid.A (BitDefender)

Characteristics

Characteristics -

-- Update September 14, 2006 --
A new version of Stinger has been released to detect and remove all known variant of W32/Bacalid to date:

Download stinger-bacalid.zip (contains stinger.com MD5: 0955c96cc5d1c57cfd42520ce298fbcc)
--

-- Update September 11, 2006 --
McAfee Avert Labs has released a version of Stinger to detect and remove W32/Bacalid.a and W32/Bacalid.b  These 2 variants are detected with released DAT files as W32/Bacalid, but repair requires Stinger.
--

W32/Bacalid is a polymorphic parasitic file infector that infects EXE and DLL files on local drives and mapped shares on an infected system when accessed via Windows Explorer. It has stealth capabilities and attempts to download a variant of the PWS-Lineage trojan from compromised websites.

Upon execution, it drops the following file in the temp folder:

• %UserProfile%\Local Settings\Temp\VCab.dll

Checks the current ANSI code page identifier for the system, and if set to 936 ANSI/OEM - Simplified Chinese (PRC, Singapore) the virus does not executes it payload.

Injects its dll routine "VCab.dll" into every running processes by using the following Windows API.

• SetWindowsHookEx

Creates the following event object so that only one instance of virus is running on an infected machine.

• WINXPGOD

Attempts to hide the presence of its dll component "VCab.dll" on an infected system to avoid detection.

Symptoms

Symptoms -

Downloader Component:

Connects to the following websites to download a variant of the PWS-Lineage trojan.

• http://clubio.com/[Removed]/Game1.wos
• http://gallup.co.kr/[Removed]/Game1.wos
• http://200.61.224.41/[Removed]/game1.wos
• http://www.darcania.com/[Removed]/Game1.wos

Method of Infection

Method of Infection -

W32/Bacalid infects EXE and DLL files on local drives and mapped shares on an infected system when accessed via Windows Explorer.

• It erases the DOS Stub of an infected host file. 
• Size of infected files increase approximately by ~35 KB.

Note: Due to a bug in the viral code, the infected files may not execute after infection.

Removal -

Removal -

Removal requires the Bacalid Stinger tool.  This stinger will clean all known variants of Bacalid to date. 

NOTE: Bacalid is known to misinfect, and subsequently corrupt, executable files from time to time.  These corrupted files will not be restored with Stinger and must be restored from backup.

McAfee Virus Scan Enterprise 8.0i (VSE 8.0i) can be used to block the main component of the virus from infecting other files and systems.  This can be achieved by creating a rule to prevent the file %temp%\vcab.dll from being created.

1. Click Start -> Programs -> Network Associates -> VirusScan Console
2. Double-Click Access Protection
3. Click the middle "File, Share, and Folder Protection tab
4. Enter the information provided in the screen shot below

Variants

Variants -

N/A