Aliases: PE_VBAC.A-O, W32/Bacalid, Worm.Win32.Detnat.e, TR/Crypt.NSAnti.Gen, Mal/Packer
Variants: W32/Bacalid-A, W32/Bacalid-B

Classification: Malware
Category: Computer Virus

Status: Active and Spreading
Spreading: Fast
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Hard
Platform: W32
Discovered: 01 Sep 2006
Damage: Medium

Characteristics: The W32.Bacalid malware is a polymorphic PE file infector virus. This virus downloads and executes remote files that are malicious. This malware has rootkit capabilities which allow it to hide its associated processes and files it has dropped to the infected machine.

More details about W32.Bacalid

This polymorphic PE file infector virus is dropped in the %Temp%\ vCab.dll folder. This virus will check the existing ANSI code-page and if it is in the Simplified Chinese 936 setting, the malware will stop all its malicious actions. If the ANSI code-page is not set to the said setting, it will inject the file vCab.dll into other processes which include the process explorer.exe. It will then create an event object titled WINXPGOD which makes certain that only one instance of it runs in the system. The W32.Bacalid virus can also hide its files and try to contaminate .exe and .dll files when opened or browsed thru Windows Explorer. This can cause Windows Explorer crashes. The sizes of the infected files have been known to increase by 35Kb. These infected files can be detected in the compromised system as W32.Bacalid!inf.

The W32.Bacalid virus will likewise try to download and run other security threats such as the TSPY_LINEAGE.ATH, TSPY_DELF.CIL and TROJ_AGENT.DWY from one or more of these websites: [http://]www.clubzio.com/File/Gam[REMOVED], [http://]www.gallup.co.kr/news/Gam[REMOVED], [http://][REMOVED], [http://]www.darcania.com/down/Gam[REMOVED], [http://]www.shuaiad.com/down/6[REMOVED] and [http://]www.shuaiad.com/down/5[REMOVED]. Consequently, the malicious operations of the newly downloaded malware will also be carried out in the infected system. The malware W32.Bacalid has also been reported to try to download and run a copy of its code from the websites [http://]www.shuaidd.com/script/src/ad0[REMOVED], [http://]www.jackeryy.com/script/adco[REMOVED] and [http://]www.fkall.com.