Home / malwarePDF  

Virus:Win32/Bamital.Q


First posted on 02 February 2012.
Source: Microsoft

Aliases :

Virus:Win32/Bamital.Q is also known as Win32/Patched (AVG), TR/Patched.Gen (Avira), Trojan.Patched (Ikarus), PE_BAMITAL.SME (Trend Micro).

Explanation :

Virus:Win32/Bamital.Q is the detection for Windows system files infected by another member of the Win32/Bamital family. It infects certain Windows system files.


Top

Virus:Win32/Bamital.Q is the detection for Windows system files infected by another member of the Win32/Bamital family. It infects certain Windows files.



Installation

Virus:Win32/Bamital.Q drops its copies as the following files:

  • %UserProfile%\Local Settings\Application Data\MicrosoftNT\winserver.exe


It changes the Windows Startup folder by modifying the following registry entry, ensuring that the malware runs at every Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Sets value: "Startup"
With Data: "%UserProfile%\Local Settings\Application Data\MicrosoftNT"

Virus:Win32/Bamital.Q creates the following mutexes to ensure that only a single copy of itself is running:

  • 11expl22
  • 11svch22


It also creates the following registry keys, into which it writes information such as timestamps and data received from remote servers:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry
Sets values:
Data
Domen
TimeGetWork
Uses32

Spreads via...

Infected files

Virus:Win32/Bamital.Q infects the following Windows files:

  • %SystemRoot%\dllcache\explorer.exe
  • %SystemRoot%\dllcache\svchost.exe
  • %SystemRoot%\dllcache\winlogon.exe
  • %SystemRoot%\explorer.exe
  • %SystemRoot%\system32\svchost.exe
  • %SystemRoot%\system32\winlogon.exe
  • %SystemRoot%\user32.dll


It creates copies of these files prior to infection, then renames them:

  • %SystemRoot%\expl.dat - copy of %SystemRoot%\dllcache\explorer.exe
  • %SystemRoot%\system32\svch.dat - copy of %SystemRoot%\dllcache\svchost.exe
  • %SystemRoot%\system32\winl.dat - copy of %SystemRoot%\dllcache\winlogon.exe
  • %UserProfile%\Documents\kbd32.dll - copy of %SystemRoot%\user32.dll


Payload

Injects code

Virus:Win32/Bamital.Q has the ability to inject code into other system processes.

Disables system settings

Virus:Win32/Bamital.Q disables System Restore by modifying the following registry entries:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Deletes value: "DisableSR"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\sr\Parameters
Sets value: "DisableSR"
With data: "1"

Connects to remote server

Virus:Win32/Bamital.Q sends HTTP requests to "google.com" every five seconds, until it receives a successful response. It then extracts the current date from the HTTP response.

It uses the current date to generate several domains. For instance, the domains generated for the 26th of January 2012 are:

  • meriro<removed>quhileh.co.cc
  • meriro<removed>quhileh.in
  • meriro<removed>quhileh.info
  • meriro<removed>quhileh.uni.me


Virus:Win32/Bamital.Q sends another HTTP request to one of these domains to ask for further instructions.



Analysis by Horea Coroiu

Last update 02 February 2012

 

TOP