Win32/Battdil [Threat Name] go to Threat

Win32/Battdil.B [Threat Variant Name]

Category trojan
Size 246784 B
Detection created Jun 11, 2014
Detection database version 10107
Aliases Infostealer.Dyranges (Symantec)
  Win32:Dyre-D (Avast)
Short description

Win32/Battdil.B is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine.

Installation

When executed the trojan copies itself in the following locations:

  • %appdata%\­googleupdaterr.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "GoogleUpdate" = "%appdata%\­googleupdaterr.exe"

The trojan may create the following files:

  • %appdata%\­userdata.dat

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe
  • firefox.exe
  • chrome.exe
  • iexplore.exe

After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects sensitive information when the user browses certain web sites.


The trojan collects various information when the user is accessing the following sites:

  • cashproonline.bankofamerica.com/AuthenticationFrameworkWeb/
  • cashproonline.bankofamerica.com/materials
  • cashproonline.bankofamerica.com/assets/
  • businessaccess.citibank.citigroup.com/cbusol/signon.do
  • businessaccess.citibank.citigroup.com/materials
  • businessaccess.citibank.citigroup.com/assets/
  • businessaccess.citibank.citigroup.com/CitiBusinessOnlineFiles/
  • www.bankline.natwest.com/
  • www.bankline.rbs.com/
  • www.bankline.ulsterbank.ie/

The following information is collected:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • cookies

The trojan attempts to send gathered information to a remote machine.


The trojan contains a list of (1) URLs. The HTTP protocol is used in the communication.

Other information

The trojan contains both 32-bit and 64-bit program components.


It may perform the following actions:

  • monitor network traffic
  • set up a proxy server

The trojan alters the behavior of the following processes:

  • iexplore.exe
  • firefox.exe
  • chrome.exe

The trojan hooks the following Windows APIs:

  • LoadLibraryExW (kernel32.dll)
  • PR_Read (nss3.dll)
  • PR_Write (nss3.dll)
  • PR_Close (nss3.dll)
  • ICSecureSocket::Send_Fsm (wininet.dll)
  • ICSecureSocket::Receive_Fsm (wininet.dll)
  • ssl_Read (chrome.dll)
  • ssl_Write (chrome.dll)
  • ssl_Close (chrome.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.