Win32/Bamital [Threat Name] go to Threat

Win32/Bamital.X [Threat Variant Name]

Category trojan
Size 43520 B
Aliases Trojan-Dropper.Win32.Agent.bmki (Kaspersky)
  TrojanDropper:Win32/Bamital.A (Microsoft)
  Trojan.Siggen.49592 (Dr.Web)
Short description

Win32/Bamital.X is a trojan that redirects results of online search engines to web sites that contain adware. It uses techniques common for rootkits.


When executed, the trojan copies itself into the following location:

  • %system%\­info.tmp (43520 B)

The following files are dropped into the %system% folder:

  • mshlps.dll (3072 B)
  • kbdsock.dll (3072 B)

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "AppInit_DLLs" = "%system%\­kbdsock.dll"

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Session Manager\­AppCertDlls]
    • "AppSecDll" = "%system%\­mshlps.dll"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "LoadAppInit_DLLs" = 1

This way the trojan ensures that the libraries with the following names will be injected into all running processes:

  • %system%\­kbdsock.dll
  • %system%\­mshlps.dll

The following Registry entry is deleted:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­SystemRestore]
    • "DisableSR" = %value%
Other information

The trojan can redirect results of online search engines to web sites that contain adware.

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of URLs. The HTTP protocol is used.

The trojan hooks the following Windows APIs:

  • recv (ws2_32.dll)
  • WSASend (ws2_32.dll)
  • WSARecv (ws2_32.dll)
  • send (ws2_32.dll)
  • closesocket (ws2_32.dll)
  • NtClose (ntdll.dll)
  • WaitForSingleObject (kernel32.dll)
  • CreateProcessInternalW (kernel32.dll)

The trojan may set the following Registry entries:

    • "N0G" = %hex_value1%
    • "Z4N0G" = %hex_value2%
    • "ME3DOSN00" =  %hex_value3%
    • "CNDPLZ4N0G" = %hex_value4%

A string with variable content is used instead of %hex_value1-4% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.