Trojan:Win32/Bamital.F is a component of the Win32/Bamital family. It is used by variants of TrojanDropper:Win32/Bamital to execute code previously saved in specific registry keys. The code is intended to monitor and modify Web search queries and displays advertisements. It affects users of Internet Explorer, Opera, and Firefox browsers.
Installation
Trojan:Win32/Bamital.F arrives in the system as a DLL file and may be installed by variants of TrojanDropper:Win32/Bamital as the following:
- %appdata%\windows server\<6 random letters>.dll
It may be installed in the computer with the creation of the following registry entry:
Adds value: "AppSecDll"
With data: "%appdata%\windows server\<6 random letters>.dll"
To subkey: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls
Payload
Executes code installed by other malware
The installer detected as a variant of TrojanDropper:Win32/Bamital writes payload code into the registry as the following:
Adds value: "<random 10 letters>"
With data: "<binary code>"
To subkey: HKCU\Software\<random 10 letters>
For example:
Adds value: "itwxgftqnn"
With data: "<binary code>"
To subkey: HKCU\Software\itwxgftqnn
Adds value: "jmtbxetpmk"
With data: "<binary code>"
To subkey: HKCU\Software\jmtbxetpmk
Trojan:Win32/Bamital.F reads the hardcoded key and executes its code.
Modifies browsing behavior
Trojan:Win32/Bamital.F patches and redirects the following functions of the Windows Socket module to its malicious routine so it can monitor and modify Web search queries and offer its own online advertisements; these functions are used by the browser:
- recv
- WSASend
- WSARecv
- send
- closesocket
- WSAAsyncSelect
Connects to a remote server
Trojan:Win32/Bamital.F may also send and download additional information remote Web servers.
Analysis by Marian Radu