Virus: Downloader-BAI.dam

**Anilrgowda** · 30-Jan-2007, 08:51 AM

Virus Profile: Downloader-BAI.dam

Risk Assessment - Home Users: Low - Corporate Users: Low Date Discovered: 1/26/2007 Date Added: 1/26/2007 Origin: N/A Length: Varies Type: Trojan SubType: Downloader DAT Required: 4950 Virus Characteristics

Files detected as this trojan are corrupt versions of the Downloader-BAI!M711 trojan. Corruptions occur usually in one of two ways, or a combination of them both.
The most common is when the file is truncated. This truncation could be due to the file being downloaded or transferred through a network connection, which abruptly terminated resulting in latter portions of the file being chopped off.
Another corruption that McAfee Avert Labs has witnessed is where the "MZ" header (required for valid DOS/Win32 executable image files) of the file has been changed to "MY". We believe this intended by authors of malware related to Downloader-BAI to avoid detection by Anti-Virus scanning Engines which tend to parse Win32 PE image files as per the specification. Such malware only requires modification to this byte to make it fully functional, at which point On-Access, or real-time, scanners will detect the malicious code.

Indications of Infection

Files being detected as this trojan.

Method of Infection

Please refer to descriptions of the Downloader-BAI!M711 trojan.

Removal Instructions

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination. Additional Windows ME/XP removal considerations

30-Jan-2007, 08:51 AM	#1 (permalink)
Anilrgowda Administrator Posts: 18,720 Join Date: Jan 2006 Rep Power: 10 IM:	Virus: Downloader-BAI.dam Virus Profile: Downloader-BAI.dam Risk Assessment - Home Users: Low - Corporate Users: Low Date Discovered: 1/26/2007 Date Added: 1/26/2007 Origin: N/A Length: Varies Type: Trojan SubType: Downloader DAT Required: 4950 Virus Characteristics Files detected as this trojan are corrupt versions of the Downloader-BAI!M711 trojan. Corruptions occur usually in one of two ways, or a combination of them both. The most common is when the file is truncated. This truncation could be due to the file being downloaded or transferred through a network connection, which abruptly terminated resulting in latter portions of the file being chopped off. Another corruption that McAfee Avert Labs has witnessed is where the "MZ" header (required for valid DOS/Win32 executable image files) of the file has been changed to "MY". We believe this intended by authors of malware related to Downloader-BAI to avoid detection by Anti-Virus scanning Engines which tend to parse Win32 PE image files as per the specification. Such malware only requires modification to this byte to make it fully functional, at which point On-Access, or real-time, scanners will detect the malicious code. Indications of Infection Files being detected as this trojan. Method of Infection Please refer to descriptions of the Downloader-BAI!M711 trojan. Removal Instructions AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination. Additional Windows ME/XP removal considerations

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)