Home / malware Trojan:Win32/Bamital.N
First posted on 12 July 2011.
Source: SecurityHomeAliases :
Trojan:Win32/Bamital.N is also known as Trojan.Hottrend (Dr.Web), Win32/Bamital.FM trojan (ESET).
Explanation :
Trojan:Win32/Bamital.N is the detection for malware that intercepts web browser traffic and redirects search engine results. It also redirects access to certain websites to the local host.
Top
Trojan:Win32/Bamital.N is the detection for malware that intercepts web browser traffic and redirects search engine results. It also redirects access to certain websites to the local host.
Installation
Trojan:Win32/Bamital.N may be dropped and loaded into "spoolsv.exe" by TrojanDropper:Win32/Bamital.D.
Trojan:Win32/Bamital.N tries to connect to a remote server to report infection of the affected computer.
Payload
Redirects user searches
Trojan:Win32/Bamital.N connects to a remote server to obtain a URL address. When a user performs searches on the Internet, the browser is redirected to this obtained URL address instead.
In the wild, it has been known to redirect searches to the website "searchportal.information.com". However, as of this writing, this site is currently unavailable.
Intercepts web traffic
Trojan:Win32/Bamital.N tries to inject its code into running web browser processes, for example, "iexplore.exe", "firefox.exe" and "opera.exe". It also intercepts the "CreateProcessInternalW" API to make sure it injects the same code into newly created processes.
Trojan:Win32/Bamital.N tries to intercept web browser traffic and redirect search engine results. It also redirects attempts to access the following websites to the local system by modifying the Hosts file:
- 82.165.237.14
- 82.165.250.33
- akamai.avg.com
- anti-virus.by
- antivir.es
- avast.com
- avg.com
- avp.com
- avp.ru
- avp.ru/download/
- avpg.crsi.symantec.com
- backup.avg.cz
- bancoguayaquil.com
- bcpzonasegura.viabcp.com
- bitdefender.com
- clamav.net
- comodo.com
- customer.symantec.com
- dispatch.mcafee.com
- download.mcafee.com
- download.microsoft.com
- downloads.microsoft.com
- downloads1.kaspersky-labs.com
- downloads1.kaspersky-labs.com/products/
- downloads1.kaspersky-labs.com/updates/
- downloads2.kaspersky-labs.com
- downloads2.kaspersky-labs.com/products/
- downloads2.kaspersky-labs.com/updates/
- downloads3.kaspersky-labs.com
- downloads3.kaspersky-labs.com/products/
- downloads3.kaspersky-labs.com/updates/
- downloads4.kaspersky-labs.com
- downloads4.kaspersky-labs.com/products/
- downloads4.kaspersky-labs.com/updates/
- downloads5.kaspersky-labs.com
- downloads5.kaspersky-labs.com/products/
- downloads5.kaspersky-labs.com/updates/
- drweb.com
- emsisoft.com
- eset.com
- eset.com/
- eset.com/download/index.php
- eset.com/joomla/
- eset.com/products/index.php
- eset.es
- f-prot.com
- f-secure.com
- fortinet.com
- gdata.es
- go.microsoft.com
- hacksoft.com.pe
- ikarus.at
- kaspersky-labs.com
- kaspersky.com
- kaspersky.ru
- liveupdate.symantec.com
- liveupdate.symantecliveupdate.com
- macafee.com
- mast.mcafee.com
- mcafee.com
- microsoft.com
- msdn.microsoft.com
- my-etrust.com
- networkassociates.com
- nod32.com
- norman.com
- norton.com
- nprotect.com
- pandasecurity.com
- pandasoftware.com
- pctools.com
- pif.symantec.com
- pifmain.symantec.com
- rads.mcafee.com
- rising-global.com
- scanner.novirusthanks.org
- secure.nai.com
- securityresponse.symantec.com
- service1.symantec.com
- sophos.com
- sunbeltsoftware.com
- support.microsoft.com
- symantec.com
- symantec.com/updates
- threatexpert.com
- trendmicro.com
- u2.eset.com
- u20.eset.com
- u3.eset.com
- u3.eset.com/
- u4.eset.com
- u4.eset.com/
- u7.eset.com
- update.avg.com
- update.microsoft.com
- update.symantec.com
- updates.symantec.com
- updates1.kaspersky-labs.com
- updates2.kaspersky-labs.com
- updates3.kaspersky-labs.com
- us.mcafee.com
- viabcp.com
- virscan.org
- virusbuster.hu
- viruslist.com
- viruslist.ru
- virusscan.jotti.org
- virustotal.com
- windowsupdate.microsoft.com
- www.ahnlab.com
- www.aladdin.com
- www.antivir.es
- www.antiy.net
- www.authentium.com
- www.avast.com
- www.avg.com
- www.avp.com
- www.avp.ru
- www.avp.ru/download/
- www.bitdefender.com
- www.clamav.net
- www.comodo.com
- www.download.mcafee.com
- www.drweb.com
- www.emsisoft.com
- www.eset.com
- www.eset.com/
- www.eset.com/download/index.php
- www.eset.com/joomla/
- www.eset.com/products/index.php
- www.f-prot.com
- www.f-secure.com
- www.fortinet.com
- www.gdata.es
- www.grisoft.com
- www.ikarus.at
- www.kaspersky-labs.com
- www.kaspersky.com
- www.kaspersky.ru
- www.macafee.com
- www.mcafee.com
- www.microsoft.com
- www.my-etrust.com
- www.networkassociates.com
- www.nod32.com
- www.norman.com
- www.norton.com
- www.nprotect.com
- www.pandasecurity.com
- www.pandasoftware.com
- www.pctools.com
- www.rising-global.com
- www.scanner.novirusthanks.org
- www.sophos.com
- www.sunbeltsoftware.com
- www.symantec.com
- www.symantec.com/updates
- www.trendmicro.com
- www.virscan.org
- www.viruslist.com
- www.viruslist.ru
- www.virusscan.jotti.org
- www.virustotal.com
- www.windowsupdate.microsoft.com
Analysis by Tim Liu
Last update 12 July 2011
