Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Bamital.AN

Aliases:Trojan-Dropper.Win32.Drooptroop.abu (Kaspersky), BackDoor-DKI.gen.bz (McAfee), Trojan.Siggen1.15303 (Dr.Web) 
Type of infiltration:Trojan  
Size:37888 B 
Affected platforms:Microsoft Windows 
Signature database version:4992 (20100401) 

Short description

Win32/Bamital.AN is a trojan that redirects results of online search engines to web sites that contain adware. It uses techniques common for rootkits.

Installation

When executed, the trojan creates the following files:
  • %appdata%Windows Serveretcsdb.dll (3072 B)
  • %templates%memory.tmp (37888 B)
The following Registry entries are set:
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl
    Session ManagerAppCertDlls]
    "AppSecDll" = "%appdata%Windows Serveretcsdb.dll"
This way the trojan ensures that the libraries with the following names will be injected into all running processes:
  • %appdata%Windows Serveretcsdb.dll
The following Registry entry is deleted:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    SystemRestore]
    "DisableSR" = %value%

Other information

The trojan can redirect results of online search engines to web sites that contain adware.

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of URLs. The HTTP protocol is used.

The trojan hooks the following Windows APIs:
  • recv (ws2_32.dll)
  • WSASend (ws2_32.dll)
  • WSARecv (ws2_32.dll)
  • send (ws2_32.dll)
  • closesocket (ws2_32.dll)
  • NtClose (ntdll.dll)
  • recv (ws2_32.dll)
  • WSASend (ws2_32.dll)
  • WSARecv (ws2_32.dll)
  • send (ws2_32.dll)
  • closesocket (ws2_32.dll)
  • NtClose (ntdll.dll)
  • WaitForSingleObject (kernel32.dll)
  • CreateProcessInternalW (kernel32.dll)
The trojan may create the following files:
  • config.data
  • worker.info
  • temp.ini
  • thread.xml
  • user32.dll
  • conf.dat
  • config.data
  • worker.info
  • temp.ini
  • thread.xml
  • user32.dll
  • conf.dat
  • work.dat
  • twin.dat
  • uses32.dat
  • flags.ini
The trojan may set the following Registry entries:
  • [HKEY_CURRENT_USERSoftwarehxyzetcsdb]
    "hxyzetcsdb" = %hex_value%
    "Run" = "%variable1%"
    "ID" = "%variable2%"
    "TimeGetWork" = "%variable3%"
A string with variable content is used instead of %variable1-3%.