Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/Bamital.B is a trojan that redirects results of online search engines to web sites that contain adware. It uses techniques common for rootkits.
Installation
When executed, the trojan creates the following files:
  • %system%wincert.dll (38912 B)
  • %system%curslib.dll (32768 B)
The following Registry entries are set:
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession
    ManagerAppCertDlls]
    "AppSecDll" = "%system%wincert.dll"
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicessr
    Parameters]
    "FirstRun" = 1
This way the trojan ensures that the libraries with the following names will be injected into all running processes:
  • %system%curslib.dll
The following Registry entry is deleted:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NT
    CurrentVersionSystemRestore]
    "DisableSR" = %value%
Other information
The trojan can redirect results of online search engines to web sites that contain adware.

The trojan is sent data and commands from a remote computer or the Internet. The trojan contains a list of (1) URLs. The HTTP protocol is used.

The trojan hooks the following Windows APIs:
  • recv (ws2_32.dll)
  • WSASend (ws2_32.dll)
  • WSARecv (ws2_32.dll)
  • send (ws2_32.dll)
  • closesocket (ws2_32.dll)
The trojan may create the following files:
  • %system%config.data
  • %system%worker.info
  • %system%thread.xml
  • %system%uses32.dat
  • %system%flags.ini
The trojan may set the following Registry entries:
  • [HKEY_CURRENT_USERSoftwareUpdateGMT]
    "RunTime" = "%variable1%"
    "Run" = "%variable2%"
    "TimeGetWork" = "%variable3%"
A string with variable content is used instead of %variable1-3% .