Threat behavior
Trojan:Win32/Bamital.J is a component of the Win32/Bamital trojan family. The trojan runs other components that are used to intercept web browser traffic and redirect web search queries.
Installation
This trojan is present as a file with a .DLL extension. It is commonly dropped by variants of the Win32/Bamital family as a two-letter named file in the Windows system directory, as in the following examples:
%windir%\System32\zx.dll
%windir%\System32\kb.dll
%windir%\System32\nt.dll
This trojan loads a separate payload module into memory. This payload module (detected as Trojan:Win32/Bamital) contains executable code and is present as a file named "dll" in one of the following hard-coded paths:
C:\Windows\system32\dll
C:\WinNT\system32\dll
C:\Documents and Settings\All Users\Documents\dll
Payload
Intercepts web traffic
The payload code is used to intercept web browser traffic and redirect web search queries. More information about Trojan:Win32/Bamital can be found elsewhere in the encyclopedia.
Analysis by Gilou Tenebro
Prevention