Win32/Battdil [Threat Name] go to Threat

Win32/Battdil.F [Threat Variant Name]

Category trojan
Size 450560 B
Aliases Trojan.Win32.Staser.apqw (Kaspersky)
  PWS:Win32/Dyzap.F (Microsoft)
  TR/Battdil.450560 (Avira)
Short description

The trojan serves as a backdoor. It can be controlled remotely.


When executed, the trojan copies itself in some of the the following locations:

  • %windir%\­%variable%.exe
  • %appdata%\­%variable%.exe

A string with variable content is used instead of %variable% .

The trojan registers itself as a system service using the following name:

  • googleupdate

This way the trojan ensures that the file is executed on every system start.

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "(Default)" = "%appdata%\­%variable%.exe"

This causes the trojan to be executed on every system start.

The trojan may create the following files:

  • %appdata%\­s5er4.dat

The trojan creates and runs a new thread with its own program code within the following processes:

  • chrome.exe
  • explorer.exe
  • firefox.exe
  • iexplore.exe
  • svchost.exe

After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects the following information:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • cookies
  • operating system version
  • Mozilla Firefox version
  • Internet Explorer version
  • Google Chrome version
  • computer name
  • user name
  • digital certificates
  • list of running services
  • installed program components under  [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Uninstall] Registry subkeys
  • computer IP address
  • network adapter information

The trojan collects sensitive information when the user browses certain web sites.

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (34) URLs. The HTTP protocol is used in the communication.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • set up a proxy server
  • shut down/restart the computer

The trojan contains both 32-bit and 64-bit program components.

The trojan alters the behavior of the following processes:

  • iexplore.exe
  • firefox.exe
  • chrome.exe

The trojan hooks the following Windows APIs:

  • CreateProcessInternalW (kernel32.dll)
  • ICSecureSocket::Receive_Fsm (wininet.dll)
  • ICSecureSocket::Send_Fsm (wininet.dll)
  • LoadLibraryExW (kernel32.dll)
  • PR_Close (nss3.dll)
  • PR_Read (nss3.dll)
  • PR_Write (nss3.dll)
  • ssl_Close (chrome.dll)
  • ssl_Read (chrome.dll)
  • ssl_Write (chrome.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.