Win32/Battdil [Threat Name] go to Threat
Win32/Battdil.F [Threat Variant Name]
|Detection created||Sep 10, 2014|
|Signature database version||10397|
The trojan serves as a backdoor. It can be controlled remotely.
When executed, the trojan copies itself in some of the the following locations:
A string with variable content is used instead of %variable% .
The trojan registers itself as a system service using the following name:
This way the trojan ensures that the file is executed on every system start.
The trojan may set the following Registry entries:
- "(Default)" = "%appdata%\%variable%.exe"
This causes the trojan to be executed on every system start.
The trojan may create the following files:
The trojan creates and runs a new thread with its own program code within the following processes:
After the installation is complete, the trojan deletes the original executable file.
The trojan collects the following information:
- login user names for certain applications/services
- login passwords for certain applications/services
- operating system version
- Mozilla Firefox version
- Internet Explorer version
- Google Chrome version
- computer name
- user name
- digital certificates
- list of running services
- installed program components under [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] Registry subkeys
- computer IP address
- network adapter information
The trojan collects sensitive information when the user browses certain web sites.
The trojan attempts to send gathered information to a remote machine.
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (34) URLs. The HTTP protocol is used in the communication.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- set up a proxy server
- shut down/restart the computer
The trojan contains both 32-bit and 64-bit program components.
The trojan alters the behavior of the following processes:
The trojan hooks the following Windows APIs:
- CreateProcessInternalW (kernel32.dll)
- ICSecureSocket::Receive_Fsm (wininet.dll)
- ICSecureSocket::Send_Fsm (wininet.dll)
- LoadLibraryExW (kernel32.dll)
- PR_Close (nss3.dll)
- PR_Read (nss3.dll)
- PR_Write (nss3.dll)
- ssl_Close (chrome.dll)
- ssl_Read (chrome.dll)
- ssl_Write (chrome.dll)