Library
My library

+ Add to library

Profile

Trojan.Bolik.1

Added to the Dr.Web virus database: 2016-05-19

Virus description added:

SHA1:

crypt21226cb1361f46d6262cddb756b24b47d86dfb96
botf11da165d898f35809c69fba00d21b1d1c916f00
mimikaz3ce415ce0efe8436750a328d8fc698d6a9ead08c
JUPITER.32b36abe9a5336ac9baa468e3bae30950ceec5eb05
JUPITER.64695f9f570ca56e3211bf37527ab9f34b2bd3c388

A multicomponent polymorphic file virus that can infect file objects on 32-bit and 64-bit versions of Microsoft Windows. It is designed to perform web injections, intercept traffic, take screenshots, to execute keylogging functions, and to steal login credentials for online banking applications. It can also establish reverse RDP connections (back connect) and launch a local SOCKS5 proxy server and HTTP server in order to perform CMD commands. The virus is known to inherit several characteristic features from Trojan.Carberp and Trojan.PWS.Panda (Zeus).

As Carberp’s successor, Trojan.Bolik.1 has borrowed the presence of a virtual file system, which the Trojan saves to one of system directories or to the user folder. Like Zeus, the Trojan has the JUPITER web injection mechanism; yet, it was considerably modified. In particular, Trojan.Bolik.1 uses JSON for data sharing and numeric codes are replaced with line parameters in the configuration block.

Trojan.Bolik.1 intercepts traffic in such browsers as Microsoft Internet Explorer, Chrome, Opera, and Mozilla Firefox by intercepting function calls. The Trojan steals private information by using the analog of mimikatz designed to steal passwords in the Windows open sessions. The malware program also uses the monguse library to create an HTTP server.

The Trojan communicates with the C&C server over HTTP protocol by sending POST requests encrypted with AES CBC 128. An encryption key is generated using the curve25519 elliptic curve. Integrity check is performed by means of hmac-sha1 and sha1. All transmitted information is encrypted with a special algorithm and is then compressed using the zlib library.

Judging from the corresponding lines in the configuration file received from the server, only Russian bank clients suffer from web injections performed by the Trojan:

}, {
            "Mask" : "*Бухгалтерия*",
            "Count" : 1
        }, {
            "Mask" : "*iBank2*",
            "Count" : 1
        }, {
            "Mask" : "*ts.letok2.ru*",
            "Count" : 1
        }, {
            "Mask" : "*Кассир*",
            "Count" : 1
        }, {
            "Mask" : "*KASSA*",
            "Count" : 1
        }, {
            "Mask" : "*Internet-Банкинг*",
            "Count" : 1
        }, {
            "Mask" : "*Банкинг*",
            "Count" : 1
        }, {
            "Mask" : "*jp2launcher.exe*",
            "Count" : 1
        }
    ],

The Trojan also uses the following masks:

"Mask" : "*bitcoin*",
            "Count" : 1
        }, {
            "Mask" : "*BSS*",
            "Count" : 1
        }, {
            "Mask" : "*Банк*",
            "Count" : 1
        }, {
            "Mask" : "*ЗАО*",
            "Count" : 1
        }, {
            "Mask" : "*Клиент*",
            "Count" : 1
        }, {
            "Mask" : "*eToken*",
            "Count" : 1
        }, {
            "Mask" : "*Remote Desktop*",

The self-spreading ability of the Trojan is activated once the following command is received from the server:

{"WormConfig":{"USBEnabled":true,"NetworkEnabled":true}}

Then Trojan.Bolik.1 checks open-for-write folders for the presence of executable files in the Windows system or on connected USB devices and then infects them. Trojan.Bolik.1 can compromise either 32-bit or 64-bit applications. Dr.Web Anti-virus detects programs infected by this virus as Win32.Bolik.1.

The virus has an incorporated polymorphic decryptor that is inserted into the input point of the infected file. The decryptor decrypts data located in the resource section that also contains the Trojan itself in encrypted form. It calculates the key in several iterations and decrypts the shell code by this calculated key. Besides, Win32.Bolik.1 tries to hinder the operation of anti-virus programs that can execute malicious applications in a special emulator by implementing specific techniques that consist of different loops and repeating instructions.

News about the Trojan

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android