Follow:

You have been re-routed to the Trojan:Win32/Bamital.E write up because Trojan%3aWin32%2fBamital.E has been renamed to Trojan:Win32/Bamital.E
 

Trojan:Win32/Bamital.E


Trojan:Win32/Bamital.E is a component of the Win32/Bamital family. It is dropped by variants of TrojanDropper:Win32/Bamital to execute code previously saved in specific registry keys. The code is intended to monitor and modify Web search queries and display advertisements. It affects users of Internet Explorer, Opera, and Firefox browsers.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Microsoft Safety Scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.

Threat behavior

Trojan:Win32/Bamital.E is a component of the Win32/Bamital family. It is dropped by variants of TrojanDropper:Win32/Bamital to execute code previously saved in specific registry keys. The code is intended to monitor and modify Web search queries and display advertisements. It affects users of Internet Explorer, Opera, and Firefox browsers.
Installation
Trojan:Win32/Bamital.E arrives in the system as a DLL file and may be installed by variants of TrojanDropper:Win32/Bamital as the following:
 
%appdata%\windows server\<6 random letters>.dll
 
It may be installed in the computer with the creation of the following registry entry:
 
Adds value: "AppSecDll"
With data: "%appdata%\windows server\<6 random letters>.dll"
To subkey: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls
Payload
Executes code installed by other malware
The installer, detected as a variant of TrojanDropper:Win32/Bamital, writes payload code into the registry as the following:
 
Adds value: "<random 10 letters>"
With data: "<binary code>"
To subkey: HKCU\Software\<random 10 letters>
 
For example:
 
Adds value: "itwxgftqnn"
With data: "<binary code>"
To subkey: HKCU\Software\itwxgftqnn
 
Adds value: "jmtbxetpmk"
With data: "<binary code>"
To subkey: HKCU\Software\jmtbxetpmk
 
Trojan:Win32/Bamital.E reads the code stored in the registry into a buffer, from where it is then executed.
 
Modifies browsing behavior
Trojan:Win32/Bamital.E patches and redirects the following functions of the Windows Socket module to its malicious routine so it can monitor and modify Web search queries and offer its own online advertisements; these functions are used by the browser:
 
recv
WSASend
WSARecv
send
closesocket
WSAAsyncSelect
 
Analysis by Scott Molenkamp

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:
    %appdata%\windows server\<6 random letters>.dll
  • The presence of the following registry modifications:
  • Adds value: "AppSecDll"
    With data: "%appdata%\windows server\<6 random letters>.dll"
    To subkey: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls
    Adds value: "<random 10 letters>"
    With data: "<binary code>"
    To subkey: HKCU\Software\<random 10 letters>

Prevention


Alert level: Severe
First detected by definition: 1.75.581.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Feb 09, 2010
This entry was first published on: Apr 20, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Trojan.Win32.Zapchast.bef (Kaspersky)
  • Trojan horse Generic17.JRF (AVG)
  • TR/Zapchast.bef.2 (Avira)
  • Trojan.Siggen.64331 (Dr.Web)
  • Win32/Bamital.AH (ESET)
  • Trojan.Win32.Zapchast (Ikarus)
  • ZapChast.gen.b (McAfee)
  • Trojan.Win32.Generic.51FC335F (Rising AV)