Win32/Bamital [Threat Name] go to Threat

Win32/Bamital.AM [Threat Variant Name]

Category trojan
Size 37888 B
Detection created Mar 28, 2010
Detection database version 4980
Aliases Trojan-Dropper.Win32.Drooptroop.aay (Kaspersky)
  BackDoor-DKI.gen.bz (McAfee)
  Trojan.MulDrop1.11252 (Dr.Web)
Short description

Win32/Bamital.AM is a trojan that redirects results of online search engines to web sites that contain adware. It uses techniques common for rootkits.

Installation

When executed, the trojan creates the following files:

  • %appdata%\­Windows Server\­etcsdb.dll (3072 B)
  • %templates%\­memory.tmp (37888 B)

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Session Manager\­AppCertDlls]
    • "AppSecDll" = "%appdata%\­Windows Server\­etcsdb.dll"

This way the trojan ensures that the libraries with the following names will be injected into all running processes:

  • %appdata%\­Windows Server\­etcsdb.dll

The following Registry entry is deleted:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­SystemRestore]
    • "DisableSR" = %value%
Other information

The trojan can redirect results of online search engines to web sites that contain adware.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of URLs. The HTTP protocol is used.


The trojan hooks the following Windows APIs:

  • recv (ws2_32.dll)
  • WSASend (ws2_32.dll)
  • WSARecv (ws2_32.dll)
  • send (ws2_32.dll)
  • closesocket (ws2_32.dll)
  • NtClose (ntdll.dll)
  • WaitForSingleObject (kernel32.dll)
  • CreateProcessInternalW (kernel32.dll)

The trojan may create the following files:

  • config.data
  • worker.info
  • temp.ini
  • thread.xml
  • user32.dll
  • conf.dat
  • work.dat
  • twin.dat
  • uses32.dat
  • flags.ini

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­hxyzetcsdb]
    • "hxyzetcsdb" = %hex_value%
    • "Run" = "%variable1%"
    • "ID" = "%variable2%"
    • "TimeGetWork" = "%variable3%"

A string with variable content is used instead of %variable1-3% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.