TrojanDropper:Win32/Bamital.A is a component of Win32/Bamital - a family of trojans intended to monitor and modify Web search queries and display advertisements. It affects users of Internet Explorer, Opera, and Firefox browsers.
Installation
When executed, TrojanDropper:Win32/Bamital.A drops the following file:
%appdata%\windows server\<6 random letters>.dll
Note: This file is detected as a variant of Trojan:Win32/Bamital, for example Trojan:Win32/Bamital.E.
It may be installed in the computer with the creation of the following registry entry:
Adds value: "AppSecDll"
With data: "%appdata%\windows server\<6 random letters>.dll"
To subkey: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls
Payload
Executes code installed by other malware
TrojanDropper:Win32/Bamital writes code into the registry as the following:
Adds value: "<random 10 letters>"
With data: "<binary code>"
To subkey: HKCU\Software\<random 10 letters>
For example:
Adds value: "itwxgftqnn"
With data: "<binary code>"
To subkey: HKCU\Software\itwxgftqnn
Adds value: "jmtbxetpmk"
With data: "<binary code>"
To subkey: HKCU\Software\jmtbxetpmk
The dropped DLL (Trojan:Win32/Bamital) reads the code stored in the registry into a buffer, from where it is then executed.
For more information, please see Trojan:Win32/Bamital.E elsewhere in the encyclopedia.
Analysis by Scott Molenkamp