June 3, 2016

In June, Doctor Web security researchers examined a new dangerous virus targeting Russian bank clients. The virus is designed to steal money from bank accounts and monitor user activity. It has borrowed a lot of features from its predecessors Zeus (Trojan.PWS.Panda) and Carberp. Yet, unlike them, it can be spread without any user intervention infecting executable files. Besides, curing of the infected computer is rather complicated and may take several hours.

Due to the ability to be spread without any user intervention and infect executable files, the malicious application, or Trojan.Bolik.1 as we named it, is categorized as a polymorphic file virus.

The most dangerous features of this banking Trojan are the abilities of self-spreading and program infecting. The function of self-spreading is activated by cybercriminals. Then Trojan.Bolik.1 checks open-for-write folders for the presence of executable files in the Windows system or on connected USB devices and then infects them. Trojan.Bolik.1 can compromise either 32-bit or 64-bit applications.

Dr.Web Anti-virus detects programs infected by this virus as Win32.Bolik.1. Every such program contains Trojan.Bolik.1 in encrypted form and other necessary information. If the user runs the infected program, the virus decrypts Trojan.Bolik.1 and launches it right in the computer’s memory without saving it to the disk. At that, the virus has a special embedded mechanism that immediately changes its code and structure responsible for the decryption procedure, which helps the virus remain unnoticed as long as possible. Moreover, Win32.Bolik.1 tries to hinder the operation of anti-virus programs that can execute malicious applications in a special emulator by implementing specific techniques that consist of different loops and repeating instructions.

As Carberp’s successor, Trojan.Bolik.1 has borrowed the presence of a virtual file system that is stored in a special file, which the Trojan saves to one of system directories or to the user folder. This file system allows the malware to covertly store information necessary for its operation on the infected machine. From Zeus, Trojan.Bolik.1 inherited a mechanism of web injections, which cybercriminals use to steal logins and passwords to access online banking applications or to steal other private information. Trojan.Bolik.1 is mainly intended to attack bank clients of Russia. This fact is proved by certain lines in the configuration file received from the C&C server.

The main purpose of Trojan.Bolik.1 is to steal confidential information. The Trojan can execute this function by several means. For example, it controls data transmitted by Microsoft Internet Explorer, Chrome, Opera, and Mozilla Firefox to steal information entered into input forms. Besides, the malware program can take screenshots and perform the keylogger functions. Trojan.Bolik.1 is also able to create its own proxy server and web server for file sharing with virus makers. The Trojan can find necessary files by a mask specified in a command. Like other today’s banking Trojans, it can also establish so called reverse connections in order to provide communication between attackers and the infected computer that is located in the firewall-protected network or that does not have an external IP address, i.e. it operates in the NAT (Network Address Translation) network. All sent and received information is encrypted with a complicated algorithm and is then compressed.

Functions and architecture of Trojan.Bolik.1 are very sophisticated, which makes it really dangerous for Windows users. Dr.Web Anti-virus detects and removes all its components; yet, the curing procedure can take much time because the structure of Trojan.Bolik.1 has its own peculiar features. Therefore, we advise our users to be patient while Dr.Web is scanning your computer.

More about this Trojan