Follow:

 

Trojan:Win32/Bamital.G


Trojan:Win32/Bamital.G is a trojan component that executes a payload component installed by TrojanDropper:Win32/Bamital.G.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Trojan:Win32/Bamital.G is a trojan component that executes a payload component installed by TrojanDropper:Win32/Bamital.G.
Installation
Trojan:Win32/Bamital.G is installed by TrojanDropper:Win32/Bamital.G and may be present as the following:
 
%ALLUSERSPROFILE%\Documents\Server\shhlp.dll
 
Payload
Executes dropped malware
Trojan:Win32/Bamital.G loads the following payload component previously installed by TrojanDropper:Win32/Bamital.G:
 
<system folder>\hlp.dat
 
Trojan:Win32/Bamital.G reads the payload component code into memory and executes the code immediately. The payload code is used to monitor and modify web search queries and display its own online advertisements.
Additional Information
For more information about TrojanDropper:Win32/Bamital.G, see the description elsewhere in the encyclopedia.
Analysis by Shawn Wang

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:
    %ALLUSERSPROFILE%\Documents\Server\shhlp.dll
    <system folder>\hlp.dat

Prevention


Alert level: Severe
First detected by definition: 1.87.2027.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Aug 16, 2010
This entry was first published on: Oct 14, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • TR/Shutdowner.etd (Avira)
  • Trojan.Hottrend.25 (Dr.Web)
  • Win32/Bamital.DT (ESET)
  • Trojan.Win32.Shutdowner.etd (Kaspersky)
  • Trojan.Shutdowner.ABM (Norman)
  • Trojan.Bamital (Symantec)