Trojan:Win32/Bamital is a detection for a trojan that intercepts web browser traffic and redirects web search queries.
The dropped malware may be loaded by Virus:Win32/Bamital.A
. Trojan:Win32/Bamital queries and modifies the following registry entries to store its own info.
In subkey: HKCU\Software\<random string>
Sets value: "Run"
To data: "1"
Sets value: "ID"
To data: "<random string>"
Sets value: "<random string>"
with data: "<binary data>"
Monitors web browser traffic
Trojan:Win32/Bamital is only functional when it's loaded into following processes (web browser applications):
Trojan:Win32/Bamital intercepts the following Windows socket APIs to intercept network traffic and redirect user's search queries to display its own advertisements.
Communicates with remote server
Trojan:Win32/Bamital tries to contact a predefined remote server to report the infection. One observed website domain is "smartcontrol.info".
Analysis by Shawn Wang