Win32/Bamital [Threat Name] go to Threat

Win32/Bamital.X [Threat Variant Name]

Category trojan
Size 43520 B
Aliases Trojan-Dropper.Win32.Agent.bmki (Kaspersky)
  TrojanDropper:Win32/Bamital.A (Microsoft)
  Trojan.Siggen.49592 (Dr.Web)
Short description

Win32/Bamital.X is a trojan that redirects results of online search engines to web sites that contain adware. It uses techniques common for rootkits.

Installation

When executed, the trojan copies itself into the following location:

  • %system%\­info.tmp (43520 B)

The following files are dropped into the %system% folder:

  • mshlps.dll (3072 B)
  • kbdsock.dll (3072 B)

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "AppInit_DLLs" = "%system%\­kbdsock.dll"

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Session Manager\­AppCertDlls]
    • "AppSecDll" = "%system%\­mshlps.dll"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "LoadAppInit_DLLs" = 1

This way the trojan ensures that the libraries with the following names will be injected into all running processes:

  • %system%\­kbdsock.dll
  • %system%\­mshlps.dll

The following Registry entry is deleted:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­SystemRestore]
    • "DisableSR" = %value%
Other information

The trojan can redirect results of online search engines to web sites that contain adware.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of URLs. The HTTP protocol is used.


The trojan hooks the following Windows APIs:

  • recv (ws2_32.dll)
  • WSASend (ws2_32.dll)
  • WSARecv (ws2_32.dll)
  • send (ws2_32.dll)
  • closesocket (ws2_32.dll)
  • NtClose (ntdll.dll)
  • WaitForSingleObject (kernel32.dll)
  • CreateProcessInternalW (kernel32.dll)

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­ME3DOSN00]
    • "N0G" = %hex_value1%
    • "Z4N0G" = %hex_value2%
    • "ME3DOSN00" =  %hex_value3%
  • [HKEY_CURRENT_USER\­Software\­CNDPLZ4N0G]
    • "CNDPLZ4N0G" = %hex_value4%

A string with variable content is used instead of %hex_value1-4% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.