PE_VBAC.A-O, W32/Bacalid, Worm.Win32.Detnat.e, TR/Crypt.NSAnti.Gen, Mal/Packer
Category: Computer Virus
Active and Spreading
Asia, North and South America, and some parts of Europe and Australia
01 Sep 2006
The W32.Bacalid malware is a polymorphic PE file infector virus. This virus downloads and executes remote files that are malicious. This malware has rootkit capabilities which allow it to hide its associated processes and files it has dropped to the infected machine.
W32.Bacalid Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer virus removal tool to automatically clean W32.Bacalid from your computer.
More details about W32.Bacalid
This polymorphic PE file infector virus is dropped in the %Temp%\ vCab.dll folder. This virus will check the existing ANSI code-page and if it is in the Simplified Chinese 936 setting, the malware will stop all its malicious actions. If the ANSI code-page is not set to the said setting, it will inject the file vCab.dll into other processes which include the process explorer.exe. It will then create an event object titled WINXPGOD which makes certain that only one instance of it runs in the system. The W32.Bacalid virus can also hide its files and try to contaminate .exe and .dll files when opened or browsed thru Windows Explorer. This can cause Windows Explorer crashes. The sizes of the infected files have been known to increase by 35Kb. These infected files can be detected in the compromised system as W32.Bacalid!inf.
The W32.Bacalid virus will likewise try to download and run other security threats such as the TSPY_LINEAGE.ATH, TSPY_DELF.CIL and TROJ_AGENT.DWY from one or more of these websites: [http://]www.clubzio.com/File/Gam[REMOVED], [http://]www.gallup.co.kr/news/Gam[REMOVED], [http://]22.214.171.124/news/gam[REMOVED], [http://]www.darcania.com/down/Gam[REMOVED], [http://]www.shuaiad.com/down/6[REMOVED] and
[http://]www.shuaiad.com/down/5[REMOVED]. Consequently, the malicious operations of the newly downloaded malware will also be carried out in the infected system. The malware W32.Bacalid has also been reported to try to download and run a copy of its code from the websites [http://]www.shuaidd.com/script/src/ad0[REMOVED], [http://]www.jackeryy.com/script/adco[REMOVED] and [http://]www.fkall.com.