Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Bamital.X

Aliases:Trojan-Dropper.Win32.Agent.bmki (Kaspersky), TrojanDropper:Win32/Bamital.A (Microsoft), Trojan.Siggen.49592 (Dr.Web) 
Type of infiltration:Trojan  
Size:43520 B 
Affected platforms:Microsoft Windows 
Signature database version:4891 (20100223) 

Short description

Win32/Bamital.X is a trojan that redirects results of online search engines to web sites that contain adware. It uses techniques common for rootkits.

Installation

When executed, the trojan copies itself into the following location:
  • %system%info.tmp (43520 B)
The following files are dropped into the %system% folder:
  • mshlps.dll (3072 B)
  • kbdsock.dll (3072 B)
The following Registry entries are set:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Windows]
    "AppInit_DLLs" = "%system%kbdsock.dll"
The following Registry entries are created:
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl
    Session ManagerAppCertDlls]
    "AppSecDll" = "%system%mshlps.dll"
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersion
    Windows]
    "LoadAppInit_DLLs" = 1
This way the trojan ensures that the libraries with the following names will be injected into all running processes:
  • %system%kbdsock.dll
  • %system%mshlps.dll
The following Registry entry is deleted:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    SystemRestore]
    "DisableSR" = %value%

Other information

The trojan can redirect results of online search engines to web sites that contain adware.

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of URLs. The HTTP protocol is used.

The trojan hooks the following Windows APIs:
  • recv (ws2_32.dll)
  • WSASend (ws2_32.dll)
  • WSARecv (ws2_32.dll)
  • send (ws2_32.dll)
  • closesocket (ws2_32.dll)
  • NtClose (ntdll.dll)
  • recv (ws2_32.dll)
  • WSASend (ws2_32.dll)
  • WSARecv (ws2_32.dll)
  • send (ws2_32.dll)
  • closesocket (ws2_32.dll)
  • NtClose (ntdll.dll)
  • WaitForSingleObject (kernel32.dll)
  • CreateProcessInternalW (kernel32.dll)
The trojan may set the following Registry entries:
  • [HKEY_LOCAL_MACHINESOFTWAREClassesME3DOSN00]
    "N0G" = %hex_value1%
    "Z4N0G" = %hex_value2%
    "ME3DOSN00" = %hex_value3%
  • [HKEY_CURRENT_USERSoftwareCNDPLZ4N0G]
    "CNDPLZ4N0G" = %hex_value4%
A string with variable content is used instead of %hex_value1-4%.