Win32/Bakaver [Threat Name]

Detection created2003-10-30
Short description

Win32/Bakaver is a polymorphic file infector.

Executable file infection

The virus searches local drives for files with the following file extensions:

  • .exe

It avoids those with any of the following strings in their names:

  • 0
  • 2
  • 4
  • 9
  • AVP
  • SCAN
  • FINDVI
  • F-

Several other criteria are applied when choosing a file to infect.


Executables are infected by appending the code of the virus to the last section.


The virus patches all calls to the ExitProcess (kernel32.dll) function(s) in the host executable to call malware code.


The malicious code is executed every time when the ExitProcess (kernel32.dll) function is invoked.

Other information

The virus creates the following files:

  • %windir%\­baka.wav (7045 B)

The following Registry entry is set:

  • [HKEY_USERS\­.DEFAULT\­AppEvents\­Schemes\­Apps\­.Default\­AppGPFault\­.Current]
    • "(Default)" = "%windir%\­baka.wav"

The virus attempts to delete the following files:

  • ANTI-VIR.DAT
  • CHKLIST.MS
  • AVP.CRC
  • IVB.NTZ

Please enable Javascript to ensure correct displaying of this content and refresh this page.