Alert level

Trojan:Win32/Balisdat.gen!C

(?)

Encyclopedia entry
Updated: Nov 24, 2011  |  Published: Aug 23, 2011

Aliases
Not available

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.115.766.0
Released: Oct 28, 2011 		Detection initially created:
Definition: 1.111.490.0
Released: Aug 23, 2011

 

Summary

Trojan:Win32/Balisdat.gen!C is a trojan that acts as a malicious component for Win32/Banker and Win32/Bancos variants. It can download other files or delete security-related files found in the affected computer.


Top

 

Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following files:
    • BoxFile.bcc
    • DolbyAudio.exe
    • DolbyAudio3D.exe
    • DolbyAudioHD.exe
    • Kernel32bits.dll
    • bootstat.exe
    • csrss.exe

    In any of the following folders:
    • %Public%\Favorites\
    • %windir%\Media\
    • <system folder>
    • D:\WINDOWS\Media\
  • The presence of the following files:
    • C:\gb_cnetproc.exe
    • C:\gbnb_zxcv.exe
    • C:\gbnb_zzcb.exe
    • C:\gbtr_sentra.exe
    • C:\gbtr_siltry.exe
    • C:\gbty_salty.exe
    • C:\gbutr_sec.exe
    • C:\powerpointview.exe
    • C:\proctraw.exe
    • C:\ramynysys.exe
    • C:\rawfriksys.exe
    • C:\rengasys.exe
    • C:\sysnetview32.exe
    • C:\syssayoview32.exe
    • C:\win_bulkatro.exe
    • C:\win_gbterzcuzi.exe
    • C:\win_gtermu.exe
    • C:\win_nulqaxro.exe
    • C:\win_nyltibits.exe
    • C:\winsizenet32.exe
  • The presence of the following registry entries:

    In subkeys:
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Any of the following values:

    • Dolby® Audio Digital
    • GBNB_ZXCV
    • GBNB_ZZCB
    • GBTR_SENTRA
    • GBTR_SILTRY
    • GBTY_SALTY
    • GBUTR_SEC
    • GB_CNETPROC
    • PowerPointView
    • ProctRaw
    • RamynySyS
    • RawFrikSys
    • RengaSyS
    • SysNetView32
    • SysSayoView32
    • WIN_BULKATRO
    • WIN_GTERMU
    • WIN_NULQAXRO
    • WIN_NYLTIBITS
    • WinSizeNet32
    • Win_GbterZcuzi
    • bootstat

     

  • The display of the following error messages:


Top

 

Technical Information (Analysis)

Trojan:Win32/Balisdat.gen!C is a trojan that acts as a malicious component for Win32/Banker and Win32/Bancos variants. It can download other files or delete security-related files found in the affected computer.

Installation

When executed, Trojan:Win32/Balisdat.gen!C may drop any of the following files:

  • BoxFile.bcc
  • DolbyAudio.exe
  • DolbyAudio3D.exe
  • DolbyAudioHD.exe
  • Kernel32bits.dll
  • bootstat.exe
  • csrss.exe

Note that a legitimate file also named "csrss.exe" exists by default in the Windows system folder.

These files may be dropped in any of the following folders:

  • %Public%\Favorites\
  • %windir%\Media\
  • D:\WINDOWS\Media\
  • <system folder>

except for "csrss.exe", which can only be dropped in %windir%\Media\ or D:\WINDOWS\Media\.

Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Windows system folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

Other samples of this malware are dropped in the root folder with a random file name. In the wild, some of these observed file names have been the following:

  • C:\gb_cnetproc.exe
  • C:\gbnb_zxcv.exe
  • C:\gbnb_zzcb.exe
  • C:\gbtr_sentra.exe
  • C:\gbtr_siltry.exe
  • C:\gbty_salty.exe
  • C:\gbutr_sec.exe
  • C:\powerpointview.exe
  • C:\proctraw.exe
  • C:\ramynysys.exe
  • C:\rawfriksys.exe
  • C:\rengasys.exe
  • C:\sysnetview32.exe
  • C:\syssayoview32.exe
  • C:\win_bulkatro.exe
  • C:\win_gbterzcuzi.exe
  • C:\win_gtermu.exe
  • C:\win_nulqaxro.exe
  • C:\win_nyltibits.exe
  • C:\winsizenet32.exe

Some variants of Trojan:Win32/Balisdat.gen!C are also bundled within a self-extracting ZIP or RAR archive containing a PowerPoint Show (.pps) file wit the name "vazb0620px.pps" or "PowerPointViewer.pps".

Trojan:Win32/Balisdat.gen!C variants may display any of the following message boxes upon execution:

They may then create the following registry entry to execute itself every time Windows starts:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<value>"
With data: "<malware path and file name>"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<value>"
With data: "<malware path and file name>"

where <value> is any of the following:

  • Dolby® Audio Digital
  • GBNB_ZXCV
  • GBNB_ZZCB
  • GBTR_SENTRA
  • GBTR_SILTRY
  • GBTY_SALTY
  • GBUTR_SEC
  • GB_CNETPROC
  • PowerPointView
  • ProctRaw
  • RamynySyS
  • RawFrikSys
  • RengaSyS
  • SysNetView32
  • SysSayoView32
  • WIN_BULKATRO
  • WIN_GTERMU
  • WIN_NULQAXRO
  • WIN_NYLTIBITS
  • WinSizeNet32
  • Win_GbterZcuzi
  • bootstat

In subkey: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
Sets value: "BootExecute"
With data: "autocheck autochk *<malware file name>"

Payload

Deletes or moves security-related folders

Trojan:Win32/Balisdat.gen!C attempts to delete or move any of the following subfolders into a different location. As a result, security-related applications may stop working.

  • AntiVir PersonalEdition Classic\
  • AntiVir\
  • Arquivos comuns\Panda Security\
  • Arquivos comuns\Symantec Shared\
  • Avira\
  • COMODO\
  • ClamWin\
  • Grisoft\
  • Kaspersky Lab\
  • McAfee\
  • Microsoft Security Essentials\
  • Norton AntiVirus\
  • NortonInstaller\
  • Panda Security\
  • Panda Software\
  • Rising\
  • Scpad\

It searches for these subfolders in any of the following folders:

  • C:\Arquivos de Programas (x86)\
  • C:\Arquivos de programas
  • C:\Program Files (x86)\
  • C:\Program Files\
  • D:\Arquivos de Programas (x86)\
  • D:\Arquivos de programas\
  • D:\Program Files (x86)\
  • D:\Program Files\

Disables Task Manager

Some variants of Trojan:Win32/Balisdat.gen!C may disable the Windows Task Manager by modifying the following registry entry:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System Sets value = "DisableTaskMgr"
With data: "dword:00000001"

Modifies system security settings

Some variants of Trojan:Win32/Balisdat.gen!C disable the Least Privileged User Account (LUA) setting, also known as the "administrator in Admin Approval Mode" user type, by making the following registry modification:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "dword:00000000"

Lowers security settings

Trojan:Win32/Balisdat.gen!C may create and execute a .REG file named "RUaC.reg" containing the following:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000002
"ConsentPromptBehaviorUser"=dword:00000001
"EnableInstallerDetection"=dword:00000001
"EnableLUA"=dword:00000000
"EnableSecureUIAPaths"=dword:00000001
"EnableVirtualization"=dword:00000001
"PromptOnSecureDesktop"=dword:00000001
"ValidateAdminCodeSignatures"=dword:00000000
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"FilterAdministratorToken"=dword:00000000
"EnableUIADesktopToggle"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard\ExceptionFormats]
"CF_TEXT"=dword:00000001
"CF_BITMAP"=dword:00000002
"CF_OEMTEXT"=dword:00000007
"CF_DIB"=dword:00000008
"CF_PALETTE"=dword:00000009
"CF_UNICODETEXT"=dword:0000000d
"CF_DIBV5"=dword:00000011

Shuts down the computer automatically

Trojan:Win32/Balisdat.gen!C attempts to shut down the affected computer by executing the command "shutdown -r -f -t 00"

Downloads arbitrary files

Trojan:Win32/Balisdat.gen!C may download other possibly malicious files from certain servers. In the wild, it has been known to connect to any of the following servers:

  • 201.<removed>37.231
  • alfa<removed>tauria.com
  • alfa<removed>taurib.com
  • baja<removed>va.com
  • base<removed>lientes.com.br
  • bras<removed>irocomorgulho.com
  • brav<removed>ntebrasileira.com
  • guet<removed>ralho.com.br
  • host<removed>ts.com
  • mysq<removed>eprotocolos.com.br
  • phpf<removed>dido.com
Additional information

Trojan:Win32/Balisdat.gen!C may create any of the following mutex names:

  • GBIEHLASMUMAITOCACHA2011
  • GBSTPROC2011
  • GBTPROMOC2011
  • GBTZEMONASLIES2011
  • GBULELASNURMONAS2011
  • GB_PROCESS_ZYX_2011
  • GB_PROCZE_GBAL_2011
  • GB_PROCZE_GHB_2011
  • SYSNET2011PRIV8
  • SYSSUN2011PROC
  • WINNOVA2010PRIV8
  • WINSEC2011PRIV8

Analysis by Ric Robielos


Top

 

Prevention

Take these steps to help prevent infection on your computer.


Top

 

Recovery

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.


Top

Provide feedback