Home / malwarePDF  

TrojanDropper:Win32/Bamital.G


First posted on 13 July 2010.
Source: SecurityHome

Aliases :

TrojanDropper:Win32/Bamital.G is also known as Trojan-Dropper.Win32.Drooptroop.cpx (Kaspersky), W32/Suspicious_Gen2.BCXIW (Norman), Trojan.DR.Drooptroop.ASI (VirusBuster), Trojan horse BackDoor.Generic12.BSPS (AVG), TR/Drop.Drooptroop.cpy (Avira), Gen:Variant.Kates.2 (BitDefender), Win32/Bamital.DA (ESET), BackDoor-DKI.gen.cm (McAfee), Mal/Bamital-A (Sophos), Trojan.Win32.Bamital.G (Sunbelt Software).

Explanation :

TrojanDropper:Win32/Bamital.G is a detection for trojans that monitor and modify Web search queries and display advertisements, as well as modifying system DLLs such as "user32.dll".
Top

TrojanDropper:Win32/Bamital.G is a detection for trojans that monitor and modify Web search queries and display advertisements, as well as modifying system DLLs such as "user32.dll". Installation Upon execution, TrojanDropper:Win32/Bamital.G creates the following folder and files as part of its installation process: %APPDATA%\Windows Server

  • <system folder>\hlp.dat €“ this file contains the trojan's payload code
    • The trojan also creates a randomly named registry key, such as the one below, and uses it to store its payload code as well as other data it uses for its own purpose. Adds value: "yhhhxnitkp" To subkey: HKCU\Software\yhhhxnitkp Payload Modifies system files TrojanDropper:Win32/Bamital.G modifies the following system DLLs: <system folder>\dllcache\user32.dll
  • <system folder>\dllcache\ws2_32.dll
  • <system folder>\dllcache\ws2help.dll
    • The trojan also modifies the below DLLs in the system and dllcache.
  • <system folder>\user32.dll
  • <system folder>\ws2_32.dll
  • <system folder>\ws2help.dll
    • The trojan does this so that the above DLLs load the dropped file <system folder>\hlp.dat whenever they are loaded by one of the following:
  • iexplore.exe
  • firefox.exe
  • opera.exe
    • DLLs modified by TrojanDropper:Win32/Bamital.G are detected as Virus:Win32/Bamital.A. Modifies browsing behavior The code contained in the file <system folder>\hlp.dat is used to monitor and modify web search queries and display its own online advertisements. Disables System Restore TrojanDropper:Win32/Bamital.G disables System Restore by making the following registry modifications: Modifies value: "FirstRun" With data: "1" To subkey: HKLM\SYSTEM\CurrentControlSet\Services\sr\Parameters Removes value: €œDisableSR€ From Subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore Connects to a remote server TrojanDropper:Win32/Bamital.G may also send and download additional information from the domain "smartcontrol.info".

    Analysis by Amir Fouda

    Last update 13 July 2010

     

    TOP

    Malware :

    Family: