Follow:

 

TrojanDropper:Win32/Bamital.C


TrojanDropper:Win32/Bamital.C is a component of Win32/Bamital - a family of trojans intended to monitor and modify Internet search queries and display advertisements. It affects users of the browsers Internet Explorer, Opera, and Firefox browsers.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.
Additional remediation instructions for TrojanDropper:Win32/Bamital.C
This threat may make lasting changes to a computer’s configuration that are NOT restored by detecting and removing this threat. For more information on returning an infected computer to its pre-infected state, please see the following article/s: 

Threat behavior

TrojanDropper:Win32/Bamital.C is a component of Win32/Bamital - a family of trojans intended to monitor and modify Internet search queries and display advertisements. It affects users of the browsers Internet Explorer, Opera, and Firefox browsers.
Payload
Drops other malware
TrojanDropper:Win32/Bamital.C drops the following files:
 
<system folder>\hlp.dat - detected as Trojan:Win32/Bamital.C
%AppData%\Windows Server\sphlp.dll - also detected as Trojan:Win32/Bamital.C
 
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
 
Renames legitimate files
TrojanDropper:Win32/Bamital.C attempts to modify the following legitimate Windows files:
 
  • winlogon.exe
  • explorer.exe
  • iexplore.exe
 
The modified files are all detected as Virus:Win32/Bamital.C.
 
TrojanDropper:Win32/Bamital.C saves copies of the original files in a temporary location by creating the following registry entries:
 
Adds value: "PendingFileRenameOperations"
With data: "%windir%\temp\winlogon.dat"
In subkey: HKLM\System\CurrentControlSet\Control\Session Manager
 
Adds value: "PendingFileRenameOperations"
With data: "%windir%\temp\explorer.dat"
In subkey: HKLM\System\CurrentControlSet\Control\Session Manager
 
Note: The original copies of "explorer.exe" and "winlogon.exe" are saved to "%windir%\temp" by the virus as "explorer.dat" and "winlogon.dat" respectively.
 
Modifies computer settings
TrojanDropper:Win32/Bamital.C creates the following registry entry to disable System Restore:
 
Adds value: "FirstRun"
With data: "1"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\sr\Parameters
Additional information
TrojanDropper:Win32/Bamital.C also drops the following text file:
 
  • %AppData%\Windows Server\admin.txt
 
Analysis by Jireh Sanico

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following file:
    %AppData%\Windows Server\admin.txt

Prevention


Alert level: Severe
First detected by definition: 1.87.2027.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Aug 16, 2010
This entry was first published on: Aug 24, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • W32/Dropper.AC.gen!Eldorado (Command)
  • Trojan-Dropper.Win32.Drooptroop.dwk (Kaspersky)
  • Trojan.Drooptroop.Gen.9 (VirusBuster)
  • TR/Drop.Drooptroop.dwk.26 (Avira)
  • Win32/Drooptroop.A!generic (CA)
  • Trojan.Hottrend.24 (Dr.Web)