W32.Bacros


Aliases: W32/Bacros
Variants: Win32.Bacros.a, Bacros.A, TROJ_BACROS.A, W32/Bacros.A

Classification: Malware
Category: Trojan Horse

Status: Active and Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Hard
Platform: W32
Discovered: 14 Oct 2004
Damage: High

Characteristics: The W32.Bacros is a Trojan that reportedly drops the W97M.Bacros virus to a target machine. It stays dormant in the compromised machine and delivers its most malicious payload on the 25th of December.

More details about W32.Bacros

The Trojan W32.Bacros initially accesses a system when a file it has infected in a host machine is executed. Upon successful execution, this Trojan will create the files msdosdrv.exe, mssys.exe and sys.exe (with a set hidden attribute) in the C:\ Windows drive as copies of itself. The Trojan will then display a message in Notepad which lists the name of the virus multiple times. The W32.Bacros Trojan will then try to locate a CD burner in the machine. In the event that a CD burner is present, the Trojan will alter its settings so it will constantly drop an autorun file and the Trojan’s code on all CDs burned with the infected CD burner. It can also infect all floppy disks inserted in the infected machine.

Other studies also show that the Trojan will also try to drop and run the Wordinfo.doc file to the profile folder of the PC’s current user. This file is the W97M.Bacros file. The W32.Bacros Trojan will also add some keys to the registry. These keys have the ability to determine the system date. The Trojan will then overwrite every .GIF file on the machine with a tiny photo saying “Kuole Jehova” (Finnish); “Kill Jehova” in English. These overwritten files are reportedly unrecoverable. The Trojan will stay dormant in the machine until December 6 (Finland’s Independence day) where it will modify the desktop background to exhibit a small Finnish flag image. The W32.Bacros program will then deliver its worst payload on December 25. It will overwrite all files on all the system’s drives.