Trojan:Win32/Bamital.E is a component of the Win32/Bamital family. It is dropped by variants of TrojanDropper:Win32/Bamital to execute code previously saved in specific registry keys. The code is intended to monitor and modify Web search queries and display advertisements. It affects users of Internet Explorer, Opera, and Firefox browsers.
Installation
Trojan:Win32/Bamital.E arrives in the system as a DLL file and may be installed by variants of TrojanDropper:Win32/Bamital as the following:
%appdata%\windows server\<6 random letters>.dll
It may be installed in the computer with the creation of the following registry entry:
Adds value: "AppSecDll"
With data: "%appdata%\windows server\<6 random letters>.dll"
To subkey: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls
Payload
Executes code installed by other malware
The installer, detected as a variant of TrojanDropper:Win32/Bamital, writes payload code into the registry as the following:
Adds value: "<random 10 letters>"
With data: "<binary code>"
To subkey: HKCU\Software\<random 10 letters>
For example:
Adds value: "itwxgftqnn"
With data: "<binary code>"
To subkey: HKCU\Software\itwxgftqnn
Adds value: "jmtbxetpmk"
With data: "<binary code>"
To subkey: HKCU\Software\jmtbxetpmk
Trojan:Win32/Bamital.E reads the code stored in the registry into a buffer, from where it is then executed.
Modifies browsing behavior
Trojan:Win32/Bamital.E patches and redirects the following functions of the Windows Socket module to its malicious routine so it can monitor and modify Web search queries and offer its own online advertisements; these functions are used by the browser:
recv
WSASend
WSARecv
send
closesocket
WSAAsyncSelect
Analysis by Scott Molenkamp