Win32/Bamital [Threat Name] go to Threat

Win32/Bamital.B [Threat Variant Name]

Category trojan
Size 44544 B
Aliases Trojan-Dropper.Win32.Agent.bjwj (Kaspersky)
  Trojan:Win32/Bamital.A (Microsoft)
  Trojan.Horse (Symantec)
Short description

Win32/Bamital.B is a trojan that redirects results of online search engines to web sites that contain adware. It uses techniques common for rootkits.


When executed, the trojan creates the following files:

  • %system%\­wincert.dll (38912 B)
  • %system%\­curslib.dll (32768 B)

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Session Manager\­AppCertDlls]
    • "AppSecDll" = "%system%\­wincert.dll"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­sr\­Parameters]
    • "FirstRun" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "LoadAppInit_DLLs" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "AppInit_DLLs" = "%system%\­curslib.dll"

This way the trojan ensures that the libraries with the following names will be injected into all running processes:

  • %system%\­curslib.dll

The following Registry entry is deleted:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­SystemRestore]
    • "DisableSR" = %value%
Other information

The trojan can redirect results of online search engines to web sites that contain adware.

The trojan acquires data and commands from a remote computer or the Internet. The trojan contains a list of (1) URLs. The HTTP protocol is used.

The trojan hooks the following Windows APIs:

  • recv (ws2_32.dll)
  • WSASend (ws2_32.dll)
  • WSARecv (ws2_32.dll)
  • send (ws2_32.dll)
  • closesocket (ws2_32.dll)
  • WSAAsyncSelect (ws2_32.dll)
  • ZwCreateKey (ntdll.dll)
  • ZwOpenKey (ntdll.dll)
  • ZwQueryValueKey (ntdll.dll)
  • ZwDeleteValueKey (ntdll.dll)
  • ZwSetValueKey (ntdll.dll)
  • ZwDeleteKey (ntdll.dll)
  • ZwQueryDirectoryFile (ntdll.dll)

The trojan may create the following files:

  • %system%\­
  • %system%\­
  • %system%\­thread.xml
  • %system%\­uses32.dat
  • %system%\­flags.ini
  • %windir%\­wincert.dll
  • %windir%\­curslib.dll
  • %templates%\­info.tmp
  • %templates%\­wincert.dll
  • %templates%\­curslib.dll

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­UpdateGMT]
    • "RunTime" = "%variable1%"
    • "Run" = "%variable2%"
    • "TimeGetWork" = "%variable3%"

A string with variable content is used instead of %variable1-3% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.