Home / malwarePDF  

Virus:Win32/Bamital.P


First posted on 25 February 2012.
Source: Microsoft

Aliases :

There are no other names known for Virus:Win32/Bamital.P.

Explanation :

Virus:Win32/Bamital.P is a detection for Windows files infected by other members of the Win32/Bamital family, for example, TrojanDropper:Win32/Bamital.AH.


Top

Virus:Win32/Bamital.P is a detection for Windows files infected by other members of the Win32/Bamital family, for example, TrojanDropper:Win32/Bamital.AH.



Installation

The Bamital infector component may be found on the computer in the following file location:

%UserProfile%\Local Settings\Application Data\MicrosoftNT\winserver.exe

The following registry entry is also modified by the infector so that the computer's Start Up folder points to the folder location "%UserProfile%\Local Settings\Application Data\MicrosoftNT", allowing its infector component to run at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Sets value: "Startup"
With Data: "%UserProfile%\Local Settings\Application Data\MicrosoftNT"

It also creates the following registry keys, into which it writes information such as time-stamps and data received from remote servers:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry
Sets values:
Data
Domen
TimeGetWork
Uses32

Spreads via€¦

File infection

The Bamital infector targets the following Windows files for infection:

  • %SystemRoot%\explorer.exe
  • %SystemRoot%\system32\svchost.exe
  • %SystemRoot%\system32\winlogon.exe
  • %SystemRoot%\dllcache\explorer.exe
  • %SystemRoot%\dllcache\svchost.exe
  • %SystemRoot%\dllcache\winlogon.exe


It also creates the file below, which is an infected copy of %SystemRoot%\system32\user32.dll:

%UserProfile%\Documents\kbd32.dll

The following files, which are encrypted versions of the above clean Windows files, are also created:

  • %SystemRoot%\system32\svch.dat
  • %SystemRoot%\ expl.dat
  • %SystemRoot%\system32\winl.dat


Payload

Disables system settings

Bamital disables System Restore by modifying the following registry entries:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Deletes value: "DisableSR"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\sr\Parameters
Sets value: "DisableSR"
With data: "1"

Connects to a remote server

Virus:Win32/Bamital.P sends HTTP requests to "google.com" every five seconds, until it receives a successful response. It then extracts the current date from the HTTP response.

It uses the current date, along with the following sub level domains, to generate several domains:

  • .co.cc
  • .in
  • .org
  • .uni.me


For instance, the domains generated for the 13th of February 2012 are:

  • xocezohiletupid.co.cc
  • bemitulavyrukaf.in
  • qopakynixijiwoc.org
  • rypymubuxyvurar.uni.me


Virus:Win32/Bamital.P sends another HTTP request to one of these domains to ask for further instructions.



Analysis by Amir Fouda

Last update 25 February 2012

 

TOP

Malware :

Family: