Win32/Bamital [Threat Name] go to Threat

Win32/Bamital.AN [Threat Variant Name]

Category trojan
Size 37888 B
Aliases Trojan-Dropper.Win32.Drooptroop.abu (Kaspersky) (McAfee)
  Trojan.Siggen1.15303 (Dr.Web)
Short description

Win32/Bamital.AN is a trojan that redirects results of online search engines to web sites that contain adware. It uses techniques common for rootkits.


When executed, the trojan creates the following files:

  • %appdata%\­Windows Server\­etcsdb.dll (3072 B)
  • %templates%\­memory.tmp (37888 B)

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Session Manager\­AppCertDlls]
    • "AppSecDll" = "%appdata%\­Windows Server\­etcsdb.dll"

This way the trojan ensures that the libraries with the following names will be injected into all running processes:

  • %appdata%\­Windows Server\­etcsdb.dll

The following Registry entry is deleted:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­SystemRestore]
    • "DisableSR" = %value%
Other information

The trojan can redirect results of online search engines to web sites that contain adware.

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of URLs. The HTTP protocol is used.

The trojan hooks the following Windows APIs:

  • recv (ws2_32.dll)
  • WSASend (ws2_32.dll)
  • WSARecv (ws2_32.dll)
  • send (ws2_32.dll)
  • closesocket (ws2_32.dll)
  • NtClose (ntdll.dll)
  • WaitForSingleObject (kernel32.dll)
  • CreateProcessInternalW (kernel32.dll)

The trojan may create the following files:

  • temp.ini
  • thread.xml
  • user32.dll
  • conf.dat
  • work.dat
  • twin.dat
  • uses32.dat
  • flags.ini

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­hxyzetcsdb]
    • "hxyzetcsdb" = %hex_value%
    • "Run" = "%variable1%"
    • "ID" = "%variable2%"
    • "TimeGetWork" = "%variable3%"

A string with variable content is used instead of %variable1-3% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.