Win32/Bamital [Threat Name] go to Threat

Win32/Bamital.EY [Threat Variant Name]

Category trojan
Size 83456 B
Aliases Backdoor.Win32.Shiz.aqo (Kaspersky)
  Trojan:Win32/Bamital.I (Microsoft)
  Win32:Zbot-MXL.[Trj] (Avast)
Short description

Win32/Bamital.EY is a trojan that redirects results of online search engines to specific web sites. The trojan contains a backdoor. It can be controlled remotely. The file is run-time compressed using UPX .


When executed, the trojan creates the following files:

  • %system%\­dll (35676 B)
  • %system%\­ms.dll (3584 B)

The trojan may create the following files:

  • %appdata%\­Windows\­winhelp.exe (83456 B)
  • %temp%\­task32.dll (9728 B)
  • %temp%\­e.exe (83456 B)

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­User Shell Folders]
    • "Startup" = "%appdata%\­Windows"

This causes the trojan to be executed on every system start.

The following Registry entry is deleted:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­SystemRestore]
    • "DisableSR"

The trojan schedules a task that causes the following file to be executed repeatedly:

  • %temp%\­e.exe

The following files are modified:

  • %windir%\­explorer.exe
  • %system%\­dllcache\­explorer.exe
  • %system%\­winlogon.exe
  • %system%\­dllcache\­winlogon.exe
  • %system%\­wininit.exe

The modified file contains the original program code along with the program code of the infiltration.

The host file is modified in a way that causes the trojan to be executed prior to running the original code.

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe
  • iexplore.exe
  • forerfox.exe
  • opera.exe
  • chrome.exe
  • winlogon.exe
  • wininit.exe

After the installation is complete, the trojan deletes the original executable file.

Other information

Win32/Bamital.EY is a trojan that changes results of online search engines.

The trojan serves as a backdoor. It can be controlled remotely.

The trojan acquires data and commands from a remote computer or the Internet.

The trojan generates various URL addresses. The HTTP protocol is used.

It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • block access to specific websites
  • redirect network traffic
  • modify network traffic
  • collect information about the operating system used
  • send gathered information

The trojan keeps various information in the following Registry keys:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­sr\­Parameters]
    • "FirstRun"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­LowRegistry]
    • "Domen"
    • "Flags"
    • "Run"
    • "TimeGetWork"
    • "Uses"

The trojan may create the following files:

  • %commondocuments%\­updhlp.dat
  • %appdata%\­Server\­server.dat

The trojan hooks the following Windows APIs:

  • CreateProcessInternalW (kernel32.dll)
  • recv (ws2_32.dll)
  • send (ws2_32.dll)
  • WSARecv (ws2_32.dll)
  • WSASend (ws2_32.dll)
  • closesocket (ws2_32.dll)
  • getaddrinfo (ws2_32.dll)
  • WSAAsyncSelect (ws2_32.dll)
  • WSAGetOverlappedResult (ws2_32.dll)
  • gethostbyname (ws2_32.dll)
  • DnsQuery_W (dnsapi.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.