Home / malwarePDF  

Win32/Bamital


First posted on 07 February 2013.
Source: Microsoft

Aliases :

There are no other names known for Win32/Bamital.

Explanation :



Win32/Bamital is a family of malware that intercepts web browser traffic and prevents access to certain security-related websites by modifying the Hosts file. Bamital variants may also modify certain legitimate Windows files in order to execute their payload.



Installation

Win32/Bamital may be dropped and loaded into "spoolsv.exe" by TrojanDropper:Win32/Bamital.D.

Win32/Bamital tries to connect to a remote server to report infection of the affected computer.



Payload

Redirects user searches

Win32/Bamital connects to a remote host to obtain configuration data. The data contains destination hosts, which are used when redirecting browser searches performed by the user with Google, Yahoo!, or Bing.

Intercepts web traffic

Win32/Bamital tries to inject its code into running web browser processes, for example, "iexplore.exe", "firefox.exe" and "opera.exe" in order to intercept web browser traffic and redirect search engine results.

Modifies Hosts file

Win32/Bamital modifies the Windows Hosts file. The local Hosts file overrides the DNS resolution of a website URL to a particular IP address. Malicious software may make modifications to the Hosts file to redirect specified URLs to different IP addresses. Malware often modifies a computer's Hosts file to stop users from accessing websites associated with particular security-related applications (such as antivirus for example). Win32/Bamital may redirect the following hosts in order to prevent affected users from accessing them:

  • ahnlab.com
  • akamai.avg.com
  • aladdin.com
  • anti-virus.by
  • antivir.es
  • antiy.net
  • authentium.com
  • avast.com
  • avg.com
  • avp.com
  • avp.ru
  • avpg.crsi.symantec.com
  • backup.avg.cz
  • bancoguayaquil.com
  • bcpzonasegura.viabcp.com
  • bitdefender.com
  • clamav.net
  • comodo.com
  • customer.symantec.com
  • dispatch.mcafee.com
  • download.mcafee.com
  • download.microsoft.com
  • downloads.microsoft.com
  • downloads1.kaspersky-labs.com
  • downloads2.kaspersky-labs.com
  • downloads3.kaspersky-labs.com
  • downloads4.kaspersky-labs.com
  • downloads5.kaspersky-labs.com
  • drweb.com
  • emsisoft.com
  • eset.com
  • eset.es
  • f-prot.com
  • f-secure.com
  • fortinet.com
  • gdata.es
  • go.microsoft.com
  • grisoft.com
  • hacksoft.com.pe
  • ikarus.at
  • kaspersky-labs.com
  • kaspersky.com
  • kaspersky.ru
  • liveupdate.symantec.com
  • liveupdate.symantecliveupdate.com
  • macafee.com
  • mast.mcafee.com
  • mcafee.com
  • microsoft.com
  • msdn.microsoft.com
  • my-etrust.com
  • networkassociates.com
  • nod32.com
  • norman.com
  • norton.com
  • nprotect.com
  • pandasecurity.com
  • pandasoftware.com
  • pctools.com
  • pif.symantec.com
  • pifmain.symantec.com
  • rads.mcafee.com
  • rising-global.com
  • scanner.novirusthanks.org
  • secure.nai.com
  • securityresponse.symantec.com
  • service1.symantec.com
  • sophos.com
  • sunbeltsoftware.com
  • support.microsoft.com
  • symantec.com
  • threatexpert.com
  • trendmicro.com
  • u2.eset.com
  • u20.eset.com
  • u3.eset.com
  • u4.eset.com
  • u7.eset.com
  • update.avg.com
  • update.microsoft.com
  • update.symantec.com
  • updates.symantec.com
  • updates1.kaspersky-labs.com
  • updates2.kaspersky-labs.com
  • updates3.kaspersky-labs.com
  • us.mcafee.com
  • viabcp.com
  • virscan.org
  • virusbuster.hu
  • viruslist.com
  • viruslist.ru
  • virusscan.jotti.org
  • virustotal.com
  • windowsupdate.microsoft.com


Modifies Windows files

Some variants of Win32/Bamital attempt to modify the following legitimate Windows files:

  • winlogon.exe
  • explorer.exe


Detection for the modified files are detected as variants of Virus:Win32/Bamital.

Note: The original copies of "explorer.exe" and "winlogon.exe" are saved to "%windir%\temp" by the virus as "explorer.dat" and "winlogon.dat" respectively.

The modified system files attempt to load a single DLL file. Possible file names for the loaded file include:

  • <system folder>\kb.dll,
  • <system folder>\ms.dll,
  • <system folder>\nt.dll,
  • <system folder>\zx.dll,
  • <system folder>\k.dll ,
  • <system folder>\b.dll ,
  • <system folder>\w.dll ,


This DLL file is used to load a data file, for example "c: \windows\sytem32\hlp", which contains the bulk of the Win32/Bamital payload. The data file is detected as Trojan:Win32/Bamital.



Analysis by Scott Molenkamp

Last update 07 February 2013

 

TOP

Malware :