Home / malwarePDF  

Trojan:Win32/Bamital.N


First posted on 12 July 2011.
Source: SecurityHome

Aliases :

Trojan:Win32/Bamital.N is also known as Trojan.Hottrend (Dr.Web), Win32/Bamital.FM trojan (ESET).

Explanation :

Trojan:Win32/Bamital.N is the detection for malware that intercepts web browser traffic and redirects search engine results. It also redirects access to certain websites to the local host.


Top

Trojan:Win32/Bamital.N is the detection for malware that intercepts web browser traffic and redirects search engine results. It also redirects access to certain websites to the local host.



Installation

Trojan:Win32/Bamital.N may be dropped and loaded into "spoolsv.exe" by TrojanDropper:Win32/Bamital.D.

Trojan:Win32/Bamital.N tries to connect to a remote server to report infection of the affected computer.



Payload

Redirects user searches
Trojan:Win32/Bamital.N connects to a remote server to obtain a URL address. When a user performs searches on the Internet, the browser is redirected to this obtained URL address instead.

In the wild, it has been known to redirect searches to the website "searchportal.information.com". However, as of this writing, this site is currently unavailable.

Intercepts web traffic
Trojan:Win32/Bamital.N tries to inject its code into running web browser processes, for example, "iexplore.exe", "firefox.exe" and "opera.exe". It also intercepts the "CreateProcessInternalW" API to make sure it injects the same code into newly created processes.

Trojan:Win32/Bamital.N tries to intercept web browser traffic and redirect search engine results. It also redirects attempts to access the following websites to the local system by modifying the Hosts file:

  • 82.165.237.14
  • 82.165.250.33
  • akamai.avg.com
  • anti-virus.by
  • antivir.es
  • avast.com
  • avg.com
  • avp.com
  • avp.ru
  • avp.ru/download/
  • avpg.crsi.symantec.com
  • backup.avg.cz
  • bancoguayaquil.com
  • bcpzonasegura.viabcp.com
  • bitdefender.com
  • clamav.net
  • comodo.com
  • customer.symantec.com
  • dispatch.mcafee.com
  • download.mcafee.com
  • download.microsoft.com
  • downloads.microsoft.com
  • downloads1.kaspersky-labs.com
  • downloads1.kaspersky-labs.com/products/
  • downloads1.kaspersky-labs.com/updates/
  • downloads2.kaspersky-labs.com
  • downloads2.kaspersky-labs.com/products/
  • downloads2.kaspersky-labs.com/updates/
  • downloads3.kaspersky-labs.com
  • downloads3.kaspersky-labs.com/products/
  • downloads3.kaspersky-labs.com/updates/
  • downloads4.kaspersky-labs.com
  • downloads4.kaspersky-labs.com/products/
  • downloads4.kaspersky-labs.com/updates/
  • downloads5.kaspersky-labs.com
  • downloads5.kaspersky-labs.com/products/
  • downloads5.kaspersky-labs.com/updates/
  • drweb.com
  • emsisoft.com
  • eset.com
  • eset.com/
  • eset.com/download/index.php
  • eset.com/joomla/
  • eset.com/products/index.php
  • eset.es
  • f-prot.com
  • f-secure.com
  • fortinet.com
  • gdata.es
  • go.microsoft.com
  • hacksoft.com.pe
  • ikarus.at
  • kaspersky-labs.com
  • kaspersky.com
  • kaspersky.ru
  • liveupdate.symantec.com
  • liveupdate.symantecliveupdate.com
  • macafee.com
  • mast.mcafee.com
  • mcafee.com
  • microsoft.com
  • msdn.microsoft.com
  • my-etrust.com
  • networkassociates.com
  • nod32.com
  • norman.com
  • norton.com
  • nprotect.com
  • pandasecurity.com
  • pandasoftware.com
  • pctools.com
  • pif.symantec.com
  • pifmain.symantec.com
  • rads.mcafee.com
  • rising-global.com
  • scanner.novirusthanks.org
  • secure.nai.com
  • securityresponse.symantec.com
  • service1.symantec.com
  • sophos.com
  • sunbeltsoftware.com
  • support.microsoft.com
  • symantec.com
  • symantec.com/updates
  • threatexpert.com
  • trendmicro.com
  • u2.eset.com
  • u20.eset.com
  • u3.eset.com
  • u3.eset.com/
  • u4.eset.com
  • u4.eset.com/
  • u7.eset.com
  • update.avg.com
  • update.microsoft.com
  • update.symantec.com
  • updates.symantec.com
  • updates1.kaspersky-labs.com
  • updates2.kaspersky-labs.com
  • updates3.kaspersky-labs.com
  • us.mcafee.com
  • viabcp.com
  • virscan.org
  • virusbuster.hu
  • viruslist.com
  • viruslist.ru
  • virusscan.jotti.org
  • virustotal.com
  • windowsupdate.microsoft.com
  • www.ahnlab.com
  • www.aladdin.com
  • www.antivir.es
  • www.antiy.net
  • www.authentium.com
  • www.avast.com
  • www.avg.com
  • www.avp.com
  • www.avp.ru
  • www.avp.ru/download/
  • www.bitdefender.com
  • www.clamav.net
  • www.comodo.com
  • www.download.mcafee.com
  • www.drweb.com
  • www.emsisoft.com
  • www.eset.com
  • www.eset.com/
  • www.eset.com/download/index.php
  • www.eset.com/joomla/
  • www.eset.com/products/index.php
  • www.f-prot.com
  • www.f-secure.com
  • www.fortinet.com
  • www.gdata.es
  • www.grisoft.com
  • www.ikarus.at
  • www.kaspersky-labs.com
  • www.kaspersky.com
  • www.kaspersky.ru
  • www.macafee.com
  • www.mcafee.com
  • www.microsoft.com
  • www.my-etrust.com
  • www.networkassociates.com
  • www.nod32.com
  • www.norman.com
  • www.norton.com
  • www.nprotect.com
  • www.pandasecurity.com
  • www.pandasoftware.com
  • www.pctools.com
  • www.rising-global.com
  • www.scanner.novirusthanks.org
  • www.sophos.com
  • www.sunbeltsoftware.com
  • www.symantec.com
  • www.symantec.com/updates
  • www.trendmicro.com
  • www.virscan.org
  • www.viruslist.com
  • www.viruslist.ru
  • www.virusscan.jotti.org
  • www.virustotal.com
  • www.windowsupdate.microsoft.com




Analysis by Tim Liu

Last update 12 July 2011

 

TOP