Win32/Battdil [Threat Name] go to Threat

Win32/Battdil.I [Threat Variant Name]

Category trojan
Size 438784 B
Aliases Trojan.Win32.Staser.bbkl (Kaspersky)
  PWS:Win32/Dyzap.M (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely.


When executed, the trojan copies itself into the following location:

  • %windir%\­%variable%.exe

A string with variable content is used instead of %variable% .

The trojan registers itself as a system service using the following name:

  • googleupdate

This causes the trojan to be executed on every system start.

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "GoogleUpdate" = "%windir%\­%variable%.exe"

This causes the trojan to be executed on every system start.

The following file is dropped:

  • %appdata%\­Local\­nw9vbe82n1.dll

The trojan can create and run a new thread with its own program code within the following processes:

  • svchost.exe
  • explorer.exe
  • iexplore.exe
  • chrome.exe
  • firefox.exe

After the installation is complete, the trojan deletes the original executable file.

Information stealing

The following information is collected:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • operating system version
  • computer name
  • user name
  • network adapter information
  • installed program components under  [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Uninstall] Registry subkeys
  • list of running services
  • external IP address of the network device

The trojan collects sensitive information when the user browses certain web sites.

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (60) URL addresses. The HTTP protocol is used.

It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • set up a proxy server
  • shut down/restart the computer

The trojan contains both 32-bit and 64-bit program components.

The trojan may affect the behavior of the following applications:

  • Trusteer Rapport
  • Mozilla Firefox
  • Microsoft Internet Explorer
  • Google Chrome

The trojan hooks the following Windows APIs:

  • LoadLibraryExW (kernel32.dll)
  • CreateProcessInternalW (kernel32.dll)
  • PR_Read (nspr4.dll, nss3.dll)
  • PR_Write (nspr4.dll, nss3.dll)
  • PR_Close (nspr4.dll, nss3.dll)
  • ICSecureSocket::Receive_Fsm (wininet.dll)
  • ICSecureSocket::Send_Fsm (wininet.dll)
  • ssl_Close (chrome.dll)
  • ssl_Read (chrome.dll)
  • ssl_Write (chrome.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.