Win32/Bipamid [Threat Name] go to Threat

Win32/Bipamid.C [Threat Variant Name]

Category trojan
Size 52384 B
Aliases Trojan-Dropper.Win32.Agent.kltf (Kaspersky)
  TrojanDownloader:Win32/Tandfuy.B (Microsoft)
  Backdoor.Trojan (Symantec)
  TR/Dldr.Tandfuy.B.3 (Avira)
Short description

Win32/Bipamid.C is a trojan which tries to download other malware from the Internet. The trojan is usually a part of other malware. The file is run-time compressed using UPX .

Installation

When executed the trojan drops in folder %system% the following file:

  • midimapbits.dll (31904 B, Win32/Bipamid.C)

The trojan registers file as a system service.


The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­BITS\­Parameters]
    • "ServiceDll" = "%system%\­midimapbits.dll"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­BITS]
    • "WOW64" = 1

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Wow6432Node\­Microsoft\­Windows NT\­CurrentVersion\­SvcHost]
    • "netsvc" = "%originalvalue%, BITS"

Trojan starts service BITS .

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (7) URLs. The UDP protocol is used in the communication.


The trojan can download and execute a file from the Internet.


The trojan keeps various information in the following Registry keys:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­QRAT\­domain]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­QRAT\­memo]

Please enable Javascript to ensure correct displaying of this content and refresh this page.