Downloader-BAL

This page shows details and results of our analysis on the malware Downloader-BAL

Download Current DAT: 6618

Threat Detail

Malware Type: Trojan

Malware Sub-type: Downloader

Discovery Date: 2007-02-06

Next Steps:

Overview
Characteristics
Symptoms
Method of Infection
Removal

Overview

It's a trojan downloader which is designed to pull files from a remote website and execute them on user's system.

Minimum DAT

4957 (2007-02-06)

Updated DAT

6167 (2010-11-14)

Minimum Engine

5.1.00

File Length

N/A

Description Added

2007-02-06

Description Modified

2007-03-30

Malware Proliferation

Characteristics

File: Install.exe
Hash: 3096f0431a64d5192ec632ecb8bbe109

Upon execution trojan connects to domains listed below to download executable files.

[removed].8wei.net
[removed]vip.net
[removed]me.cn

Install.exe copies itself to %windows% directory and creates registry key as shown below.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit"
data: c:\WINDOWS\Install.exe

Following files may get created on user's system.

%WINDOWS%\system32\lsanp.dll
%WINDOWS%\system32\drivers\i82440bx.sys
%Program Files%\Common Files\2.dll

Above files are classified as Adware-Ncast, BackDoor-CKB and Adware-Boran respectively.

Symptoms

Presence of files and registry key listed above confirms the attack.

Method of Infection

N/A. Downloaders are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.