TrojanDropper:Win32/Bamital.G is a detection for trojans that monitor and modify Web search queries and display advertisements, as well as modifying system DLLs such as "user32.dll".
Installation
Upon execution, TrojanDropper:Win32/Bamital.G creates the following folder and files as part of its installation process:
-
%APPDATA%\Windows Server
-
<system folder>\hlp.dat – this file contains the trojan's payload code
The trojan also creates a randomly named registry key, such as the one below, and uses it to store its payload code as well as other data it uses for its own purpose.
Adds value: "yhhhxnitkp"
To subkey: HKCU\Software\yhhhxnitkp
Payload
Modifies system files
TrojanDropper:Win32/Bamital.G modifies the following system DLLs:
The trojan also modifies the below DLLs in the system and dllcache.
-
<system folder>\user32.dll
-
<system folder>\ws2_32.dll
-
<system folder>\ws2help.dll
The trojan does this so that the above DLLs load the dropped file <system folder>\hlp.dat whenever they are loaded by one of the following:
-
iexplore.exe
-
firefox.exe
-
opera.exe
Modifies browsing behavior
The code contained in the file <system folder>\hlp.dat is used to monitor and modify web search queries and display its own online advertisements.
Disables System Restore
TrojanDropper:Win32/Bamital.G disables System Restore by making the following registry modifications:
Modifies value: "FirstRun"
With data: "1"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\sr\Parameters
Removes value: “DisableSR”
From Subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Connects to a remote server
TrojanDropper:Win32/Bamital.G may also send and download additional information from the domain "smartcontrol.info".
Analysis by Amir Fouda