Home / malware Virus:Win32/Bamital.Q
First posted on 02 February 2012.
Source: MicrosoftAliases :
Virus:Win32/Bamital.Q is also known as Win32/Patched (AVG), TR/Patched.Gen (Avira), Trojan.Patched (Ikarus), PE_BAMITAL.SME (Trend Micro).
Explanation :
Virus:Win32/Bamital.Q is the detection for Windows system files infected by another member of the Win32/Bamital family. It infects certain Windows system files.
Top
Virus:Win32/Bamital.Q is the detection for Windows system files infected by another member of the Win32/Bamital family. It infects certain Windows files.
Installation
Virus:Win32/Bamital.Q drops its copies as the following files:
- %UserProfile%\Local Settings\Application Data\MicrosoftNT\winserver.exe
It changes the Windows Startup folder by modifying the following registry entry, ensuring that the malware runs at every Windows start:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Sets value: "Startup"
With Data: "%UserProfile%\Local Settings\Application Data\MicrosoftNT"
Virus:Win32/Bamital.Q creates the following mutexes to ensure that only a single copy of itself is running:
- 11expl22
- 11svch22
It also creates the following registry keys, into which it writes information such as timestamps and data received from remote servers:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry
Sets values:
Data
Domen
TimeGetWork
Uses32
Spreads via...
Infected files
Virus:Win32/Bamital.Q infects the following Windows files:
- %SystemRoot%\dllcache\explorer.exe
- %SystemRoot%\dllcache\svchost.exe
- %SystemRoot%\dllcache\winlogon.exe
- %SystemRoot%\explorer.exe
- %SystemRoot%\system32\svchost.exe
- %SystemRoot%\system32\winlogon.exe
- %SystemRoot%\user32.dll
It creates copies of these files prior to infection, then renames them:
- %SystemRoot%\expl.dat - copy of %SystemRoot%\dllcache\explorer.exe
- %SystemRoot%\system32\svch.dat - copy of %SystemRoot%\dllcache\svchost.exe
- %SystemRoot%\system32\winl.dat - copy of %SystemRoot%\dllcache\winlogon.exe
- %UserProfile%\Documents\kbd32.dll - copy of %SystemRoot%\user32.dll
Payload
Injects code
Virus:Win32/Bamital.Q has the ability to inject code into other system processes.
Disables system settings
Virus:Win32/Bamital.Q disables System Restore by modifying the following registry entries:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Deletes value: "DisableSR"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\sr\Parameters
Sets value: "DisableSR"
With data: "1"
Connects to remote server
Virus:Win32/Bamital.Q sends HTTP requests to "google.com" every five seconds, until it receives a successful response. It then extracts the current date from the HTTP response.
It uses the current date to generate several domains. For instance, the domains generated for the 26th of January 2012 are:
- meriro<removed>quhileh.co.cc
- meriro<removed>quhileh.in
- meriro<removed>quhileh.info
- meriro<removed>quhileh.uni.me
Virus:Win32/Bamital.Q sends another HTTP request to one of these domains to ask for further instructions.
Analysis by Horea Coroiu
Last update 02 February 2012