Virus : Downloader-BAC

**Anilrgowda** · 22-Jan-2007, 09:47 AM

Virus Profile: Downloader-BAC

Risk Assessment - Home Users: N/A - Corporate Users: N/A Date Discovered: 12/26/2006 Date Added: 12/26/2006 Origin: N/A Length: 10,000 bytes (may vary) Type: Trojan SubType: Downloader DAT Required: 4927 Virus Characteristics

Downloader-BAC installs as a Browser Helper Object (BHO) in Internet Explorer. After installation it will silently download and execute files the next time Internet Explorer is launched.
As it is trivial for the malware author to modify the Downloader to refer to a different website or web address, McAfee write detection routines for Downloaders which as a general rule do not include these strings in the detection routines.
This allows McAfee to write more generic detections for these threats and to proactively protect customers against future minor variants.
Therefore it is not possible to guarantee which website and/or port is being communicated with.
Also, as the website being communicated with is normally controlled by the malware author, any files being downloaded can be remotely modified and the behaviour of these new binaries altered - possibly with every user infection.

Indications of Infection

Downloader-BAC creates the following registry elements:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer
"WINID"="1-1C7294A348B3200" (value may vary)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8A5849C 4-93F3-429D-FF34-660A2068897C}
@=(full path to DLL)
"ThreadingModel"="Apartment"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8A5849C 4-93F3-429D-FF34-660A2068897C}\InProcServer32
@=(full path to DLL)
"ThreadingModel"="Apartment"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{8A5849C4-93F3-429D-FF34-660A2068897C}

Another indication of the presence of Downloader-BAC may be unauthorized network communication each time Internet Explorer is launched, even when no websites have yet been accessed. In testing it attempted to download files from firstwolf.org.
Many Downloaders install other malware including viruses as well as other Trojans.
Additionally many of them are used to remotely install Adware packages onto the affected host machine for the purposes of gaining referral revenue from the Adware software vendor.
Please note: If Adware is installed via a Downloader it may install it "cleanly" with the relevant uninstaller included for the user to terminate this Adware, although frequently this is not the case.

Method of Infection

Downloader-BAC is a Browser Helper Object (BHO), and so exists as a DLL file. It must be registered on the host system in order to function. This will likely be accomplished by a dropper/installer or other piece of malware (as manual registration of the DLL is cumbersome and unlikely to be done accidentally).

Removal Instructions

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination. Additional Windows ME/XP removal considerations

22-Jan-2007, 09:47 AM	#1 (permalink)
Anilrgowda Administrator Posts: 18,715 Join Date: Jan 2006 Rep Power: 10 IM:	Virus : Downloader-BAC Virus Profile: Downloader-BAC Risk Assessment - Home Users: N/A - Corporate Users: N/A Date Discovered: 12/26/2006 Date Added: 12/26/2006 Origin: N/A Length: 10,000 bytes (may vary) Type: Trojan SubType: Downloader DAT Required: 4927 Virus Characteristics Downloader-BAC installs as a Browser Helper Object (BHO) in Internet Explorer. After installation it will silently download and execute files the next time Internet Explorer is launched. As it is trivial for the malware author to modify the Downloader to refer to a different website or web address, McAfee write detection routines for Downloaders which as a general rule do not include these strings in the detection routines. This allows McAfee to write more generic detections for these threats and to proactively protect customers against future minor variants. Therefore it is not possible to guarantee which website and/or port is being communicated with. Also, as the website being communicated with is normally controlled by the malware author, any files being downloaded can be remotely modified and the behaviour of these new binaries altered - possibly with every user infection. Indications of Infection Downloader-BAC creates the following registry elements: HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer "WINID"="1-1C7294A348B3200" (value may vary) HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8A5849C 4-93F3-429D-FF34-660A2068897C} @=(full path to DLL) "ThreadingModel"="Apartment" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8A5849C 4-93F3-429D-FF34-660A2068897C}\InProcServer32 @=(full path to DLL) "ThreadingModel"="Apartment" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{8A5849C4-93F3-429D-FF34-660A2068897C} Another indication of the presence of Downloader-BAC may be unauthorized network communication each time Internet Explorer is launched, even when no websites have yet been accessed. In testing it attempted to download files from firstwolf.org. Many Downloaders install other malware including viruses as well as other Trojans. Additionally many of them are used to remotely install Adware packages onto the affected host machine for the purposes of gaining referral revenue from the Adware software vendor. Please note: If Adware is installed via a Downloader it may install it "cleanly" with the relevant uninstaller included for the user to terminate this Adware, although frequently this is not the case. Method of Infection Downloader-BAC is a Browser Helper Object (BHO), and so exists as a DLL file. It must be registered on the host system in order to function. This will likely be accomplished by a dropper/installer or other piece of malware (as manual registration of the DLL is cumbersome and unlikely to be done accidentally). Removal Instructions AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination. Additional Windows ME/XP removal considerations

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)